prototype

Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/b7ffcfe77f817d9ee992640ba1f270718d197f28' (2023-01-31)
  → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21)
• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19)
  → 'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02)
  → 'github:numtide/flake-utils/cfacdce06f30d2b68473a46042957675eebb3401' (2023-04-11)
• Added input 'flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/4306fa7c12e098360439faac1a2e6b8e509ec97c' (2023-02-26)
  → 'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/78c4d33c16092e535bc4ba1284ba49e3e138483a' (2023-03-03)
  → 'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)

.gitignore

@@ -0,0 +1 @@
+result

README.md

@@ -0,0 +1,11 @@
+# My NixOS configurations
+
+### Source Layout
+- `/common` - common configuration imported into all `/machines`
+    - `/boot` - config related to bootloaders, cpu microcode, and unlocking LUKS root disks over tor
+    - `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
+    - `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
+    - `/server` - config that creates new nixos services or extends existing ones to meet my needs
+- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
+    - `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
+- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

TODO.md

@@ -0,0 +1,84 @@
+# A place for brain dump ideas maybe to be taken off of the shelve one day
+
+### NixOS webtools
+- Better options search https://mynixos.com/options/services 
+
+### Interesting ideas for restructuring nixos config
+- https://github.com/gytis-ivaskevicius/flake-utils-plus
+- https://github.com/divnix/digga/tree/main/examples/devos
+- https://digga.divnix.com/
+- https://nixos.wiki/wiki/Comparison_of_NixOS_setups
+
+### Housekeeping
+- Cleanup the line between hardware-configuration.nix and configuration.nix in machine config
+- remove `options.currentSystem`
+- allow `hostname` option for webservices to be null to disable configuring nginx
+
+### NAS
+- safely turn off NAS on power disconnect
+
+### Shell Comands
+- tailexitnode = `sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true`
+
+### Services
+- setup archivebox
+- radio https://tildegit.org/tilderadio/site
+- music
+    - mopidy
+        - use the jellyfin plugin?
+    - navidrome
+        - spotify secrets for navidrome
+    - picard for music tagging
+    - alternative music software
+        - https://www.smarthomebeginner.com/best-music-server-software-options/
+        - https://funkwhale.audio/
+        - https://github.com/epoupon/lms
+        - https://github.com/benkaiser/stretto
+        - https://github.com/blackcandy-org/black_candy
+        - https://github.com/koel/koel
+        - https://airsonic.github.io/
+        - https://ampache.org/
+- replace nextcloud with seafile
+
+### Archive
+- email
+    - https://github.com/Disassembler0/dovecot-archive/blob/main/src/dovecot_archive.py
+    - http://kb.unixservertech.com/software/dovecot/archiveserver
+
+### Paranoia
+- https://christine.website/blog/paranoid-nixos-2021-07-18
+- https://nixos.wiki/wiki/Impermanence
+
+# Setup CI
+- CI
+    - hydra
+    - https://docs.cachix.org/continuous-integration-setup/
+- Binary Cache
+    - Maybe use cachix https://gvolpe.com/blog/nixos-binary-cache-ci/
+    - Self hosted binary cache? https://www.tweag.io/blog/2019-11-21-untrusted-ci/
+    - https://github.com/edolstra/nix-serve
+    - https://nixos.wiki/wiki/Binary_Cache
+    - https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343
+- Both
+    - https://garnix.io/
+    - https://nixbuild.net
+
+
+# Secrets
+- consider using headscale
+- Replace luks over tor for remote unlock with luks over tailscale using ephemeral keys
+- Rollover luks FDE passwords
+- /secrets on personal computers should only be readable using a trusted ssh key, preferably requiring a yubikey
+- Rollover shared yubikey secrets
+- offsite backup yubikey, pw db, and ssh key with /secrets access
+
+### Misc
+- for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
+  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
+- https://github.com/pop-os/system76-scheduler
+- improve email a little bit https://helloinbox.email
+- remap razer keys https://github.com/sezanzeb/input-remapper
+
+### Future Interests (upon merge into nixpkgs)
+- nixos/thelounge: add users option https://github.com/NixOS/nixpkgs/pull/157477
+- glorytun: init at 0.3.4 https://github.com/NixOS/nixpkgs/pull/153356

common/auto-update.nix

@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }:
+
+# Modify auto-update so that it pulls a flake
+
+let
+  cfg = config.system.autoUpgrade;
+in
+{
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      system.autoUpgrade = {
+        flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
+        flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
+
+        # dates = "03:40";
+        # kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
+        # randomizedDelaySec = "45min";
+      };
+
+      system.autoUpgrade.allowKexec = lib.mkDefault true;
+
+      luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
+    }
+  ]);
+}

common/backups.nix

@@ -0,0 +1,78 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.backup;
+  hostname = config.networking.hostName;
+
+  mkRespository = group: "s3:s3.us-west-004.backblazeb2.com/D22TgIt0-main-backup/${group}";
+
+  mkBackup = group: paths: {
+    repository = mkRespository group;
+    inherit paths;
+
+    initialize = true;
+
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "1h";
+    };
+
+    extraBackupArgs = [
+      ''--exclude-if-present ".nobackup"''
+    ];
+
+    pruneOpts = [
+      "--keep-daily 7" # one backup for each of the last n days
+      "--keep-weekly 5" # one backup for each of the last n weeks
+      "--keep-monthly 12" # one backup for each of the last n months
+      "--keep-yearly 75" # one backup for each of the last n years
+    ];
+
+    environmentFile = "/run/agenix/backblaze-s3-backups";
+    passwordFile = "/run/agenix/restic-password";
+  };
+
+  # example usage: "sudo restic_samba unlock" (removes lockfile)
+  mkResticGroupCmd = group: pkgs.writeShellScriptBin "restic_${group}" ''
+    if [ "$EUID" -ne 0 ]
+      then echo "Run as root"
+      exit
+    fi
+    . /run/agenix/backblaze-s3-backups
+    export AWS_SECRET_ACCESS_KEY
+    export AWS_ACCESS_KEY_ID
+    export RESTIC_PASSWORD_FILE=/run/agenix/restic-password
+    export RESTIC_REPOSITORY="${mkRespository group}"
+    exec ${pkgs.restic}/bin/restic "$@"
+  '';
+in
+{
+  options.backup = {
+    group = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr (lib.types.attrsOf (lib.types.submodule {
+        options = {
+          paths = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            description = ''
+              Paths to backup
+            '';
+          };
+        };
+      }));
+    };
+  };
+
+  config = lib.mkIf (cfg.group != null) {
+    services.restic.backups = lib.concatMapAttrs
+      (group: groupCfg: {
+        ${group} = mkBackup group groupCfg.paths;
+      })
+      cfg.group;
+
+    age.secrets.backblaze-s3-backups.file = ../secrets/backblaze-s3-backups.age;
+    age.secrets.restic-password.file = ../secrets/restic-password.age;
+
+    environment.systemPackages = map mkResticGroupCmd (builtins.attrNames cfg.group);
+  };
+}

common/boot/bios.nix

@@ -3,7 +3,8 @@
 with lib;
 let
   cfg = config.bios;
-in {
+in
+{
   options.bios = {
     enable = mkEnableOption "enable bios boot";
     device = mkOption {
@@ -12,8 +13,6 @@ in {
   };
 
   config = mkIf cfg.enable {
-    # Enable microcode
-    firmware.x86_64.enable = true;
     # Use GRUB 2 for BIOS
     boot.loader = {
       timeout = 2;
@@ -27,4 +26,4 @@ in {
       };
     };
   };
-}
+}

common/boot/default.nix

@@ -0,0 +1,12 @@
+{ lib, config, pkgs, ... }:
+
+{
+  imports = [
+    ./firmware.nix
+    ./efi.nix
+    ./bios.nix
+    ./kexec-luks.nix
+    ./luks.nix
+    ./remote-luks-unlock.nix
+  ];
+}

common/boot/efi.nix

@@ -3,14 +3,13 @@
 with lib;
 let
   cfg = config.efi;
-in {
+in
+{
   options.efi = {
     enable = mkEnableOption "enable efi boot";
   };
 
   config = mkIf cfg.enable {
-    # Enable microcode
-    firmware.x86_64.enable = true;
     # Use GRUB2 for EFI
     boot.loader = {
       efi.canTouchEfiVariables = true;
@@ -21,7 +20,7 @@ in {
         version = 2;
         efiSupport = true;
         useOSProber = true;
-#       memtest86.enable = true;
+        #       memtest86.enable = true;
         configurationLimit = 20;
         theme = pkgs.nixos-grub2-theme;
       };

common/boot/firmware.nix

@@ -3,7 +3,8 @@
 with lib;
 let
   cfg = config.firmware;
-in {
+in
+{
   options.firmware.x86_64 = {
     enable = mkEnableOption "enable x86_64 firmware";
   };
@@ -14,4 +15,4 @@ in {
   };
 
   # services.fwupd.enable = true;
-}
+}

common/boot/kexec-luks.nix

@@ -0,0 +1,121 @@
+# Allows kexec'ing as an alternative to rebooting for machines that
+# have luks encrypted partitions that need to be mounted at boot.
+# These luks partitions will be automatically unlocked, no password,
+# or any interaction needed whatsoever.
+
+# This is accomplished by fetching the luks key(s) while the system is running,
+# then building a temporary initrd that contains the luks key(s), and kexec'ing.
+
+{ config, lib, pkgs, ... }:
+
+{
+  options.luks = {
+    enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
+  };
+
+  config = lib.mkIf config.luks.enableKexec {
+    luks.fallbackToPassword = true;
+    luks.disableKeyring = true;
+
+    boot.initrd.luks.devices = lib.listToAttrs
+      (builtins.map
+        (item:
+          {
+            name = item;
+            value = {
+              masterKeyFile = "/etc/${item}.key";
+            };
+          })
+        config.luks.deviceNames);
+
+    systemd.services.prepare-luks-kexec-image = {
+      description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
+
+      wantedBy = [ "kexec.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig.Type = "oneshot";
+
+      path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
+
+      # based on https://github.com/flowztul/keyexec
+      script = ''
+        system=/nix/var/nix/profiles/system
+        old_initrd=$(readlink -f "$system/initrd")
+
+        umask 0077
+        CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
+
+        cleanup() {
+          shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
+          shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
+          shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
+          rm -rf "$CRYPTROOT_TMPDIR"
+        }
+        # trap cleanup INT TERM EXIT
+
+        mkdir -p "$CRYPTROOT_TMPDIR"
+        cd "$CRYPTROOT_TMPDIR"
+
+        # Determine the compression type of the initrd image
+        compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
+
+        # Decompress the initrd image based on its compression type
+        case "$compression" in
+          gzip)
+            gunzip -c "$old_initrd" > initrd.cpio
+            ;;
+          xz)
+            unxz -c "$old_initrd" > initrd.cpio
+            ;;
+          zstd)
+            zstd -d -c "$old_initrd" > initrd.cpio
+            ;;
+          *)
+            echo "Unsupported compression type: $compression"
+            exit 1
+            ;;
+        esac
+
+        # Extract the contents of the cpio archive
+        mkdir -p initrd_contents
+        cd initrd_contents
+        cpio -idv < ../initrd.cpio
+
+        # Generate keys and add them to the extracted initrd filesystem
+        luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
+        for item in "''${luksDeviceNames[@]}"; do
+          dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
+        done
+
+        # Add normal initrd secrets too
+        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
+            let source' = if source == null then dest else builtins.toString source; in
+              ''
+                mkdir -p $(dirname "./${dest}")
+                cp -a ${source'} "./${dest}"
+              ''
+          ) config.boot.initrd.secrets)
+        }
+
+        # Create a new cpio archive with the modified contents
+        find . | cpio -o -H newc -v > ../new_initrd.cpio
+
+        # Compress the new cpio archive using the original compression type
+        cd ..
+        case "$compression" in
+          gzip)
+            gunzip -c new_initrd.cpio > new_initrd
+            ;;
+          xz)
+            unxz -c new_initrd.cpio > new_initrd
+            ;;
+          zstd)
+            zstd -c new_initrd.cpio > new_initrd
+            ;;
+        esac
+
+        kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
+      '';
+    };
+  };
+}

common/boot/luks.nix

@@ -1,101 +1,74 @@
-{ config, pkgs, lib, ... }:
+# Makes it a little easier to configure luks partitions for boot
+# Additionally, this solves a circular dependency between kexec luks
+# and NixOS's luks module.
+
+{ config, lib, ... }:
 
 let
   cfg = config.luks;
-in {
+
+  deviceCount = builtins.length cfg.devices;
+
+  deviceMap = lib.imap
+    (i: item: {
+      device = item;
+      name =
+        if deviceCount == 1 then "enc-pv"
+        else "enc-pv${builtins.toString (i + 1)}";
+    })
+    cfg.devices;
+in
+{
   options.luks = {
-    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
-    device = {
-      name = lib.mkOption {
-        type = lib.types.str;
-        default = "enc-pv";
-      };
-      path = lib.mkOption {
-        type = lib.types.either lib.types.str lib.types.path;
-      };
-      allowDiscards = lib.mkOption {
-        type = lib.types.bool;
-        default = false;
-      };
+    devices = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
     };
-    sshHostKeys = lib.mkOption {
-      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
-      default = [
-        "/secret/ssh_host_rsa_key"
-        "/secret/ssh_host_ed25519_key"
+
+    allowDiscards = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+
+    fallbackToPassword = lib.mkEnableOption
+      "Fallback to interactive passphrase prompt if the cannot be found.";
+
+    disableKeyring = lib.mkEnableOption
+      "When opening LUKS2 devices, don't use the kernel keyring";
+
+    # set automatically, don't touch
+    deviceNames = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+    };
+  };
+
+  config = lib.mkMerge [
+    {
+      assertions = [
+        {
+          assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
+          message = ''
+            All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
+          '';
+        }
       ];
-    };
-    sshAuthorizedKeys = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
-    };
-    onionConfig = lib.mkOption {
-      type = lib.types.path;
-      default = /secret/onion;
-    };
-    kernelModules = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
-    };
-  };
+    }
+    (lib.mkIf (deviceCount != 0) {
+      luks.deviceNames = builtins.map (device: device.name) deviceMap;
 
-  config = lib.mkIf cfg.enable {
-    boot.initrd.luks.devices.${cfg.device.name} = {
-      device = cfg.device.path;
-      allowDiscards = cfg.device.allowDiscards;
-    };
-
-    # Unlock LUKS disk over ssh
-    boot.initrd.network.enable = true;
-    boot.initrd.kernelModules = cfg.kernelModules;
-    boot.initrd.network.ssh = {
-      enable = true;
-      port = 22;
-      hostKeys = cfg.sshHostKeys;
-      authorizedKeys = cfg.sshAuthorizedKeys;
-    };
-
-    boot.initrd.postDeviceCommands = ''
-      echo 'waiting for root device to be opened...'
-      mkfifo /crypt-ramfs/passphrase
-      echo /crypt-ramfs/passphrase >> /dev/null
-    '';
-
-    # Make machine accessable over tor for boot unlock
-    boot.initrd.secrets = {
-      "/etc/tor/onion/bootup" = cfg.onionConfig;
-    };
-    boot.initrd.extraUtilsCommands = ''
-      copy_bin_and_libs ${pkgs.tor}/bin/tor
-      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
-    '';
-    # start tor during boot process
-    boot.initrd.network.postCommands = let
-      torRc = (pkgs.writeText "tor.rc" ''
-        DataDirectory /etc/tor
-        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
-        SOCKSPort 127.0.0.1:9063
-        HiddenServiceDir /etc/tor/onion/bootup
-        HiddenServicePort 22 127.0.0.1:22
-      '');
-    in ''
-      # Add nice prompt for giving LUKS passphrase over ssh
-      echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
-
-      echo "tor: preparing onion folder"
-      # have to do this otherwise tor does not want to start
-      chmod -R 700 /etc/tor
-
-      echo "make sure localhost is up"
-      ip a a 127.0.0.1/8 dev lo
-      ip link set lo up
-
-      echo "haveged: starting haveged"
-      haveged -F &
-
-      echo "tor: starting tor"
-      tor -f ${torRc} --verify-config
-      tor -f ${torRc} &
-    '';
-  };
+      boot.initrd.luks.devices = lib.listToAttrs (
+        builtins.map
+          (item:
+            {
+              name = item.name;
+              value = {
+                device = item.device;
+                allowDiscards = cfg.allowDiscards;
+                fallbackToPassword = cfg.fallbackToPassword;
+                disableKeyring = cfg.disableKeyring;
+              };
+            })
+          deviceMap);
+    })
+  ];
 }

common/boot/remote-luks-unlock.nix

@@ -0,0 +1,94 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.remoteLuksUnlock;
+in
+{
+  options.remoteLuksUnlock = {
+    enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
+    enableTorUnlock = lib.mkOption {
+      type = lib.types.bool;
+      default = cfg.enable;
+      description = "Make machine accessable over tor for ssh boot unlock";
+    };
+    sshHostKeys = lib.mkOption {
+      type = lib.types.listOf (lib.types.either lib.types.str lib.types.path);
+      default = [
+        "/secret/ssh_host_rsa_key"
+        "/secret/ssh_host_ed25519_key"
+      ];
+    };
+    sshAuthorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = config.users.users.googlebot.openssh.authorizedKeys.keys;
+    };
+    onionConfig = lib.mkOption {
+      type = lib.types.path;
+      default = /secret/onion;
+    };
+    kernelModules = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "e1000" "e1000e" "virtio_pci" "r8169" ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Unlock LUKS disk over ssh
+    boot.initrd.network.enable = true;
+    boot.initrd.kernelModules = cfg.kernelModules;
+    boot.initrd.network.ssh = {
+      enable = true;
+      port = 22;
+      hostKeys = cfg.sshHostKeys;
+      authorizedKeys = cfg.sshAuthorizedKeys;
+    };
+
+    boot.initrd.postDeviceCommands = ''
+      echo 'waiting for root device to be opened...'
+      mkfifo /crypt-ramfs/passphrase
+      echo /crypt-ramfs/passphrase >> /dev/null
+    '';
+
+    boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
+      "/etc/tor/onion/bootup" = cfg.onionConfig;
+    };
+    boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock ''
+      copy_bin_and_libs ${pkgs.tor}/bin/tor
+      copy_bin_and_libs ${pkgs.haveged}/bin/haveged
+    '';
+    boot.initrd.network.postCommands = lib.mkMerge [
+      (
+        ''
+          # Add nice prompt for giving LUKS passphrase over ssh
+          echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
+        ''
+      )
+
+      (
+        let torRc = (pkgs.writeText "tor.rc" ''
+          DataDirectory /etc/tor
+          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+          SOCKSPort 127.0.0.1:9063
+          HiddenServiceDir /etc/tor/onion/bootup
+          HiddenServicePort 22 127.0.0.1:22
+        ''); in
+        lib.mkIf cfg.enableTorUnlock ''
+          echo "tor: preparing onion folder"
+          # have to do this otherwise tor does not want to start
+          chmod -R 700 /etc/tor
+
+          echo "make sure localhost is up"
+          ip a a 127.0.0.1/8 dev lo
+          ip link set lo up
+
+          echo "haveged: starting haveged"
+          haveged -F &
+
+          echo "tor: starting tor"
+          tor -f ${torRc} --verify-config
+          tor -f ${torRc} &
+        ''
+      )
+    ];
+  };
+}

common/common.nix

@@ -1,47 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    ./flakes.nix
-    ./pia.nix
-    ./zerotier.nix
-    ./boot/firmware.nix
-    ./boot/efi.nix
-    ./boot/bios.nix
-    ./boot/luks.nix
-    ./server/nginx.nix
-    ./server/thelounge.nix
-    ./server/mumble.nix
-    ./server/icecast.nix
-    ./server/nginx-stream.nix
-    ./server/matrix.nix
-    ./server/zerobin.nix
-    ./server/gitea.nix
-    ./server/privatebin/privatebin.nix
-    ./pc/de.nix
-  ];
-
-  system.stateVersion = "20.09";
-
-  networking.useDHCP = false;
-
-  time.timeZone = "America/New_York";
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  services.openssh.enable = true;
-
-  environment.systemPackages = with pkgs; [
-    wget kakoune htop git dnsutils tmux nethogs iotop pciutils
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  users.mutableUsers = false;
-  users.users.googlebot = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = (import ./ssh.nix).users;
-    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
-  };
-  nix.trustedUsers = [ "root" "googlebot" ];
-}

common/default.nix

@@ -0,0 +1,91 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./backups.nix
+    ./flakes.nix
+    ./auto-update.nix
+    ./shell.nix
+    ./network
+    ./boot
+    ./server
+    ./pc
+    ./machine-info
+    ./ssh.nix
+  ];
+
+  nix.flakes.enable = true;
+
+  system.stateVersion = "21.11";
+
+  networking.useDHCP = false;
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+
+  time.timeZone = "America/Denver";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+    };
+  };
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    wget
+    kakoune
+    htop
+    git
+    git-lfs
+    dnsutils
+    tmux
+    nethogs
+    iotop
+    pciutils
+    usbutils
+    killall
+    screen
+    micro
+    helix
+    lm_sensors
+    picocom
+    lf
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  users.mutableUsers = false;
+  users.users.googlebot = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "dialout" # serial
+    ];
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
+    hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
+    uid = 1000;
+  };
+  users.users.root = {
+    openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
+  };
+  nix.settings = {
+    trusted-users = [ "root" "googlebot" ];
+  };
+
+  # don't use sudo
+  security.doas.enable = true;
+  security.sudo.enable = false;
+  security.doas.extraRules = [
+    # don't ask for password every time
+    { groups = [ "wheel" ]; persist = true; }
+  ];
+
+  nix.gc.automatic = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "zuckerberg@neet.dev";
+}

common/flakes.nix

@@ -1,8 +1,9 @@
-{ lib, pkgs, config, inputs, ... }:
+{ lib, pkgs, config, ... }:
 with lib;
 let
   cfg = config.nix.flakes;
-in {
+in
+{
   options.nix.flakes = {
     enable = mkEnableOption "use nix flakes";
   };
@@ -15,7 +16,10 @@ in {
       '';
 
       # pin nixpkgs for system commands such as "nix shell"
-      registry.nixpkgs.flake = inputs.nixpkgs;
+      registry.nixpkgs.flake = config.inputs.nixpkgs;
+
+      # pin system nixpkgs to the same version as the flake input
+      nixPath = [ "nixpkgs=${config.inputs.nixpkgs}" ];
     };
   };
 }

common/machine-info/default.nix

@@ -0,0 +1,200 @@
+# Gathers info about each machine to constuct overall configuration
+# Ex: Each machine already trusts each others SSH fingerprint already
+
+{ config, lib, pkgs, ... }:
+
+let
+  machines = config.machines.hosts;
+in
+{
+  imports = [
+    ./ssh.nix
+    ./roles.nix
+  ];
+
+  options.machines = {
+
+    hosts = lib.mkOption {
+      type = lib.types.attrsOf
+        (lib.types.submodule {
+          options = {
+
+            hostNames = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                List of hostnames for this machine. The first one is the default so it is the target of deployments.
+                Used for automatically trusting hosts for ssh connections.
+              '';
+            };
+
+            arch = lib.mkOption {
+              type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
+              description = ''
+                The architecture of this machine.
+              '';
+            };
+
+            systemRoles = lib.mkOption {
+              type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
+              description = ''
+                The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
+              '';
+            };
+
+            hostKey = lib.mkOption {
+              type = lib.types.str;
+              description = ''
+                The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
+                and for decrypting secrets with agenix.
+              '';
+            };
+
+            remoteUnlock = lib.mkOption {
+              default = null;
+              type = lib.types.nullOr (lib.types.submodule {
+                options = {
+
+                  hostKey = lib.mkOption {
+                    type = lib.types.str;
+                    description = ''
+                      The system ssh host key of this machine used for luks boot unlocking only.
+                    '';
+                  };
+
+                  clearnetHost = lib.mkOption {
+                    default = null;
+                    type = lib.types.nullOr lib.types.str;
+                    description = ''
+                      The hostname resolvable over clearnet used to luks boot unlock this machine
+                    '';
+                  };
+
+                  onionHost = lib.mkOption {
+                    default = null;
+                    type = lib.types.nullOr lib.types.str;
+                    description = ''
+                      The hostname resolvable over tor used to luks boot unlock this machine
+                    '';
+                  };
+
+                };
+              });
+            };
+
+            userKeys = lib.mkOption {
+              default = [ ];
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
+
+                TODO: consider auto populating other programs that use ssh keys such as gitea
+              '';
+            };
+
+            deployKeys = lib.mkOption {
+              default = [ ];
+              type = lib.types.listOf lib.types.str;
+              description = ''
+                The list of deployment keys. Each key here can be used to log into all other systems as `root`.
+              '';
+            };
+
+            configurationPath = lib.mkOption {
+              type = lib.types.path;
+              description = ''
+                The path to this machine's configuration directory.
+              '';
+            };
+
+          };
+        });
+    };
+  };
+
+  config = {
+    assertions = (lib.concatLists (lib.mapAttrsToList
+      (
+        name: cfg: [
+          {
+            assertion = builtins.length cfg.hostNames > 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one hostname.
+            '';
+          }
+          {
+            assertion = builtins.length cfg.systemRoles > 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one system role.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
+            message = ''
+              Error with config for ${name}
+              Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
+            message = ''
+              Error with config for ${name}
+              At least one of clearnet host or onion host must be defined.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
+            message = ''
+              Error with config for ${name}
+              Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
+            '';
+          }
+          {
+            assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
+            message = ''
+              Error with config for ${name}
+              Tor unlock hostname must be an onion address.
+            '';
+          }
+          {
+            assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
+            message = ''
+              Error with config for ${name}
+              There must be at least one userkey defined for personal machines.
+            '';
+          }
+          {
+            assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
+            message = ''
+              Error with config for ${name}
+              Only deploy machines are allowed to have deploy keys for security reasons.
+            '';
+          }
+        ]
+      )
+      machines));
+
+    # Set per machine properties automatically using each of their `properties.nix` files respectively
+    machines.hosts =
+      let
+        properties = dir: lib.concatMapAttrs
+          (name: path: {
+            ${name} =
+              import path
+              //
+              { configurationPath = builtins.dirOf path; };
+          })
+          (propertiesFiles dir);
+        propertiesFiles = dir:
+          lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
+        propertiesFiles' = dir:
+          let
+            propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
+            dirName = path: builtins.baseNameOf (builtins.dirOf path);
+          in
+          builtins.map (p: { "${dirName p}" = p; }) propFiles;
+      in
+      properties ../../machines;
+  };
+}

common/machine-info/moduleless.nix

@@ -0,0 +1,15 @@
+# Allows getting machine-info outside the scope of nixos configuration
+
+{ nixpkgs ? import <nixpkgs> { }
+, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
+}:
+
+{
+  machines =
+    (nixpkgs.lib.evalModules {
+      modules = [
+        ./default.nix
+        assertionsModule
+      ];
+    }).config.machines;
+}

common/machine-info/roles.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+# Maps roles to their hosts
+
+{
+  options.machines.roles = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+  };
+
+  config = {
+    machines.roles = lib.zipAttrs
+      (lib.mapAttrsToList
+        (host: cfg:
+          lib.foldl (lib.mergeAttrs) { }
+            (builtins.map (role: { ${role} = host; })
+              cfg.systemRoles))
+        config.machines.hosts);
+  };
+}

common/machine-info/ssh.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+
+let
+  machines = config.machines;
+
+  sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
+in
+{
+  options.machines.ssh = {
+    userKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        List of user keys aggregated from all machines.
+      '';
+    };
+
+    deployKeys = lib.mkOption {
+      default = [ ];
+      type = lib.types.listOf lib.types.str;
+      description = ''
+        List of deploy keys aggregated from all machines.
+      '';
+    };
+
+    hostKeysByRole = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+      description = ''
+        Machine host keys divided into their roles.
+      '';
+    };
+  };
+
+  config = {
+    machines.ssh.userKeys = sshkeys "userKeys";
+    machines.ssh.deployKeys = sshkeys "deployKeys";
+
+    machines.ssh.hostKeysByRole = lib.mapAttrs
+      (role: hosts:
+        builtins.map
+          (host: machines.hosts.${host}.hostKey)
+          hosts)
+      machines.roles;
+  };
+}

common/network/ca.rsa.4096.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
+MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
+hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
+De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
+V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
+25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
+fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
+p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
+Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
+tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
+jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
+meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
+1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
+HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
+yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
+pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
+Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
+tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
+LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
+6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
+5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
+JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
+iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
+8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
++no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
+-----END CERTIFICATE-----

common/network/default.nix

@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.networking;
+in
+{
+  imports = [
+    ./pia-openvpn.nix
+    ./pia-wireguard.nix
+    ./ping.nix
+    ./tailscale.nix
+    ./vpn.nix
+  ];
+
+  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
+
+  config = mkIf cfg.ip_forward {
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  };
+}

common/network/pia-openvpn.nix

@@ -0,0 +1,113 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.pia.openvpn;
+  vpnfailsafe = pkgs.stdenv.mkDerivation {
+    pname = "vpnfailsafe";
+    version = "0.0.1";
+    src = ./.;
+    installPhase = ''
+      mkdir -p $out
+      cp vpnfailsafe.sh $out/vpnfailsafe.sh
+      sed -i 's|getent|${pkgs.getent}/bin/getent|' $out/vpnfailsafe.sh
+    '';
+  };
+in
+{
+  options.pia.openvpn = {
+    enable = lib.mkEnableOption "Enable private internet access";
+    server = lib.mkOption {
+      type = lib.types.str;
+      default = "us-washingtondc.privacy.network";
+      example = "swiss.privacy.network";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.openvpn = {
+      servers = {
+        pia = {
+          config = ''
+            client
+            dev tun
+            proto udp
+            remote ${cfg.server} 1198
+            resolv-retry infinite
+            nobind
+            persist-key
+            persist-tun
+            cipher aes-128-cbc
+            auth sha1
+            tls-client
+            remote-cert-tls server
+
+            auth-user-pass
+            compress
+            verb 1
+            reneg-sec 0
+            <crl-verify>
+            -----BEGIN X509 CRL-----
+            MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+            EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+            cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+            HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+            ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+            aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
+            MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
+            9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
+            jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
+            B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
+            ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
+            5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
+            MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
+            -----END X509 CRL-----
+            </crl-verify>
+
+            <ca>
+            -----BEGIN CERTIFICATE-----
+            MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+            VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+            BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+            dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+            IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+            FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
+            MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+            EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+            QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+            AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+            ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+            bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
+            L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
+            lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
+            cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
+            8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
+            /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
+            OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
+            y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
+            sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
+            b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
+            A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
+            SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
+            czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
+            b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
+            a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
+            ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
+            7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
+            GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
+            1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
+            YDQ8z9v+DMO6iwyIDRiU
+            -----END CERTIFICATE-----
+            </ca>
+
+            disable-occ
+            auth-user-pass /run/agenix/pia-login.conf
+          '';
+          autoStart = true;
+          up = "${vpnfailsafe}/vpnfailsafe.sh";
+          down = "${vpnfailsafe}/vpnfailsafe.sh";
+        };
+      };
+    };
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
+  };
+}

common/network/pia-wireguard.nix

@@ -0,0 +1,357 @@
+{ config, lib, pkgs, ... }:
+
+# Server list:
+#   https://serverlist.piaservers.net/vpninfo/servers/v6
+# Reference materials:
+#   https://github.com/pia-foss/manual-connections
+#   https://github.com/thrnz/docker-wireguard-pia/blob/master/extra/wg-gen.sh
+
+# TODO handle potential errors (or at least print status, success, and failures to the console)
+# TODO parameterize names of systemd services so that multiple wg VPNs could coexist in theory easier
+# TODO implement this module such that the wireguard VPN doesn't have to live in a container
+# TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort
+# TODO verify signatures of PIA responses
+
+with builtins;
+with lib;
+
+let
+  cfg = config.pia.wireguard;
+
+  getPIAToken = ''
+    PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
+    PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
+    # PIA_TOKEN only lasts 24hrs
+    PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
+  '';
+
+  chooseWireguardServer = ''
+    servers=$(mktemp)
+    servers_json=$(mktemp)
+    curl -s "https://serverlist.piaservers.net/vpninfo/servers/v6" > "$servers"
+    # extract json part only
+    head -n 1 "$servers" | tr -d '\n' > "$servers_json"
+
+    echo "Available location ids:" && jq '.regions | .[] | {name, id, port_forward}' "$servers_json"
+
+    # Some locations have multiple servers available. Pick a random one.
+    totalservers=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | length' "$servers_json")
+    if ! [[ "$totalservers" =~ ^[0-9]+$ ]] || [ "$totalservers" -eq 0 ] 2>/dev/null; then
+      echo "Location \"${cfg.serverLocation}\" not found."
+      exit 1
+    fi
+    serverindex=$(( RANDOM % totalservers))
+    WG_HOSTNAME=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].cn' "$servers_json")
+    WG_SERVER_IP=$(jq -r '.regions | .[] | select(.id=="'${cfg.serverLocation}'") | .servers.wg | .['$serverindex'].ip' "$servers_json")
+    WG_SERVER_PORT=$(jq -r '.groups.wg | .[0] | .ports | .[0]' "$servers_json")
+
+    # write chosen server
+    rm -f /tmp/${cfg.interfaceName}-server.conf
+    touch /tmp/${cfg.interfaceName}-server.conf
+    chmod 700 /tmp/${cfg.interfaceName}-server.conf
+    echo "$WG_HOSTNAME" >> /tmp/${cfg.interfaceName}-server.conf
+    echo "$WG_SERVER_IP" >> /tmp/${cfg.interfaceName}-server.conf
+    echo "$WG_SERVER_PORT" >> /tmp/${cfg.interfaceName}-server.conf
+
+    rm $servers_json $servers
+  '';
+
+  getChosenWireguardServer = ''
+    WG_HOSTNAME=`sed '1q;d' /tmp/${cfg.interfaceName}-server.conf`
+    WG_SERVER_IP=`sed '2q;d' /tmp/${cfg.interfaceName}-server.conf`
+    WG_SERVER_PORT=`sed '3q;d' /tmp/${cfg.interfaceName}-server.conf`
+  '';
+
+  refreshPIAPort = ''
+    ${getChosenWireguardServer}
+    signature=`sed '1q;d' /tmp/${cfg.interfaceName}-port-renewal`
+    payload=`sed '2q;d' /tmp/${cfg.interfaceName}-port-renewal`
+    bind_port_response=`curl -Gs -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "payload=$payload" --data-urlencode "signature=$signature" "https://$WG_HOSTNAME:19999/bindPort"`
+  '';
+
+  portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
+
+  containerServiceName = "container@${config.vpn-container.containerName}.service";
+in
+{
+  options.pia.wireguard = {
+    enable = mkEnableOption "Enable private internet access";
+    badPortForwardPorts = mkOption {
+      type = types.listOf types.port;
+      description = ''
+        Ports that will not be accepted from PIA.
+        If PIA assigns a port from this list, the connection is aborted since we cannot ask for a different port.
+        This is used to guarantee we are not assigned a port that is used by a service we do not want exposed.
+      '';
+    };
+    wireguardListenPort = mkOption {
+      type = types.port;
+      description = "The port wireguard listens on for this VPN connection";
+      default = 51820;
+    };
+    serverLocation = mkOption {
+      type = types.str;
+      default = "swiss";
+    };
+    interfaceName = mkOption {
+      type = types.str;
+      default = "piaw";
+    };
+    forwardedPort = mkOption {
+      type = types.nullOr types.port;
+      description = "The port to redirect port forwarded TCP VPN traffic too";
+      default = null;
+    };
+    forwardPortForTransmission = mkEnableOption "PIA port forwarding for transmission should be performed.";
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.forwardPortForTransmission != (cfg.forwardedPort != null);
+        message = ''
+          The PIA forwarded port cannot simultaneously be used by transmission and redirected to another port.
+        '';
+      }
+    ];
+
+    # mounts used to pass the connection parameters to the container
+    # the container doesn't have internet until it uses these parameters so it cannot fetch them itself
+    vpn-container.mounts = [
+      "/tmp/${cfg.interfaceName}.conf"
+      "/tmp/${cfg.interfaceName}-server.conf"
+      "/tmp/${cfg.interfaceName}-address.conf"
+    ];
+
+    # The container takes ownership of the wireguard interface on its startup
+    containers.vpn.interfaces = [ cfg.interfaceName ];
+
+    # TODO: while this is much better than "loose" networking, it seems to have issues with firewall restarts
+    # allow traffic for wireguard interface to pass since wireguard trips up rpfilter
+    # networking.firewall = {
+    #   extraCommands = ''
+    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN
+    #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN
+    #   '';
+    #   extraStopCommands = ''
+    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport ${toString cfg.wireguardListenPort} -j RETURN || true
+    #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport ${toString cfg.wireguardListenPort} -j RETURN || true
+    #   '';
+    # };
+    networking.firewall.checkReversePath = "loose";
+
+    systemd.services.pia-vpn-wireguard-init = {
+      description = "Creates PIA VPN Wireguard Interface";
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      before = [ containerServiceName ];
+      requiredBy = [ containerServiceName ];
+      partOf = [ containerServiceName ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ wireguard-tools jq curl iproute ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+
+        # restart once a month; PIA forwarded port expires after two months
+        # because the container is "PartOf" this unit, it gets restarted too
+        RuntimeMaxSec = "30d";
+      };
+
+      script = ''
+        # Prepare to connect by generating wg secrets and auth'ing with PIA since the container
+        # cannot do without internet to start with. NAT'ing the host's internet would address this
+        # issue but is not ideal because then leaking network outside of the VPN is more likely.
+
+        ${chooseWireguardServer}
+
+        ${getPIAToken}
+
+        # generate wireguard keys
+        privKey=$(wg genkey)
+        pubKey=$(echo "$privKey" | wg pubkey)
+
+        # authorize our WG keys with the PIA server we are about to connect to
+        wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:$WG_SERVER_PORT/addKey`
+
+        # create wg-quick config file
+        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        touch /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        chmod 700 /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+        echo "
+        [Interface]
+        # Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
+        PrivateKey = $privKey
+        ListenPort = ${toString cfg.wireguardListenPort}
+        [Peer]
+        PersistentKeepalive = 25
+        PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
+        AllowedIPs = 0.0.0.0/0
+        Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
+        " >> /tmp/${cfg.interfaceName}.conf
+
+        # create file storing the VPN ip address PIA assigned to us
+        echo "$wireguard_json" | jq -r '.peer_ip' >> /tmp/${cfg.interfaceName}-address.conf
+
+        # Create wg interface now so it inherits from the namespace with internet access
+        # the container will handle actually connecting the interface since that info is
+        # not preserved upon moving into the container's networking namespace
+        # Roughly following this guide https://www.wireguard.com/netns/#ordinary-containerization
+        [[ -z $(ip link show dev ${cfg.interfaceName} 2>/dev/null) ]] || exit
+        ip link add ${cfg.interfaceName} type wireguard
+      '';
+
+      preStop = ''
+        # cleanup wireguard interface
+        ip link del ${cfg.interfaceName}
+        rm -f /tmp/${cfg.interfaceName}.conf /tmp/${cfg.interfaceName}-address.conf
+      '';
+    };
+
+    vpn-container.config.systemd.services.pia-vpn-wireguard = {
+      description = "Initializes the PIA VPN WireGuard Tunnel";
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ wireguard-tools iproute curl jq iptables ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      script = ''
+        # pseudo calls wg-quick
+        # Near equivalent of "wg-quick up /tmp/${cfg.interfaceName}.conf"
+        # cannot actually call wg-quick because the interface has to be already
+        # created before the container taken ownership of the interface
+        # Thus, assumes wg interface was already created:
+        #   ip link add ${cfg.interfaceName} type wireguard
+
+        ${getChosenWireguardServer}
+
+        myaddress=`cat /tmp/${cfg.interfaceName}-address.conf`
+
+        wg setconf ${cfg.interfaceName} /tmp/${cfg.interfaceName}.conf
+        ip -4 address add $myaddress dev ${cfg.interfaceName}
+        ip link set mtu 1420 up dev ${cfg.interfaceName}
+        wg set ${cfg.interfaceName} fwmark ${toString cfg.wireguardListenPort}
+        ip -4 route add 0.0.0.0/0 dev ${cfg.interfaceName} table ${toString cfg.wireguardListenPort}
+
+        # TODO is this needed?
+        ip -4 rule add not fwmark ${toString cfg.wireguardListenPort} table ${toString cfg.wireguardListenPort}
+        ip -4 rule add table main suppress_prefixlength 0
+
+        # The rest of the script is only for only for port forwarding skip if not needed
+        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
+
+        # Reserve port
+        ${getPIAToken}
+        payload_and_signature=`curl -s -m 5 --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" -G --data-urlencode "token=$PIA_TOKEN" "https://$WG_HOSTNAME:19999/getSignature"`
+        signature=$(echo "$payload_and_signature" | jq -r '.signature')
+        payload=$(echo "$payload_and_signature" | jq -r '.payload')
+        port=$(echo "$payload" | base64 -d | jq -r '.port')
+
+        # Check if the port is acceptable
+        notallowed=(${concatStringsSep " " (map toString cfg.badPortForwardPorts)})
+        if [[ " ''${notallowed[*]} " =~ " $port " ]]; then
+          # the port PIA assigned is not allowed, kill the connection
+          wg-quick down /tmp/${cfg.interfaceName}.conf
+          exit 1
+        fi
+
+        # write reserved port to file readable for all users
+        echo $port > /tmp/${cfg.interfaceName}-port
+        chmod 644 /tmp/${cfg.interfaceName}-port
+
+        # write payload and signature info needed to allow refreshing allocated forwarded port
+        rm -f /tmp/${cfg.interfaceName}-port-renewal
+        touch /tmp/${cfg.interfaceName}-port-renewal
+        chmod 700 /tmp/${cfg.interfaceName}-port-renewal
+        echo $signature >> /tmp/${cfg.interfaceName}-port-renewal
+        echo $payload >> /tmp/${cfg.interfaceName}-port-renewal
+
+        # Block all traffic from VPN interface except for traffic that is from the forwarded port
+        iptables -I nixos-fw -p tcp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
+        iptables -I nixos-fw -p udp --dport $port -j nixos-fw-accept -i ${cfg.interfaceName}
+
+        # The first port refresh triggers the port to be actually allocated
+        ${refreshPIAPort}
+
+        ${optionalString (cfg.forwardedPort != null) ''
+          # redirect the fowarded port
+          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
+          iptables -A INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
+          iptables -A INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
+          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
+          iptables -A PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
+        ''}
+
+        ${optionalString cfg.forwardPortForTransmission ''
+          # assumes no auth needed for transmission
+          curlout=$(curl localhost:9091/transmission/rpc 2>/dev/null)
+          regex='X-Transmission-Session-Id\: (\w*)'
+          if [[ $curlout =~ $regex ]]; then
+              sessionId=''${BASH_REMATCH[1]}
+          else
+              exit 1
+          fi
+
+          # set the port in transmission
+          data='{"method": "session-set", "arguments": { "peer-port" :'$port' } }'
+          curl http://localhost:9091/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $sessionId"
+        ''}
+      '';
+
+      preStop = ''
+        wg-quick down /tmp/${cfg.interfaceName}.conf
+
+        # The rest of the script is only for only for port forwarding skip if not needed
+        if [ ${boolToString portForwarding} == false ]; then exit 0; fi
+
+        ${optionalString (cfg.forwardedPort != null) ''
+          # stop redirecting the forwarded port
+          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport $port -j ACCEPT
+          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport $port -j ACCEPT
+          iptables -D INPUT -i ${cfg.interfaceName} -p tcp --dport ${toString cfg.forwardedPort} -j ACCEPT
+          iptables -D INPUT -i ${cfg.interfaceName} -p udp --dport ${toString cfg.forwardedPort} -j ACCEPT
+          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p tcp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
+          iptables -D PREROUTING -t nat -i ${cfg.interfaceName} -p udp --dport $port -j REDIRECT --to-port ${toString cfg.forwardedPort}
+        ''}
+      '';
+    };
+
+    vpn-container.config.systemd.services.pia-vpn-wireguard-forward-port = {
+      enable = portForwarding;
+      description = "PIA VPN WireGuard Tunnel Port Forwarding";
+      after = [ "pia-vpn-wireguard.service" ];
+      requires = [ "pia-vpn-wireguard.service" ];
+
+      path = with pkgs; [ curl ];
+
+      serviceConfig = {
+        Type = "oneshot";
+      };
+
+      script = refreshPIAPort;
+    };
+
+    vpn-container.config.systemd.timers.pia-vpn-wireguard-forward-port = {
+      enable = portForwarding;
+      partOf = [ "pia-vpn-wireguard-forward-port.service" ];
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*:0/10"; # 10 minutes
+        RandomizedDelaySec = "1m"; # vary by 1 min to give PIA servers some relief
+      };
+    };
+
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
+  };
+}

common/network/ping.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+
+# keeps peer to peer connections alive with a periodic ping
+
+with lib;
+with builtins;
+
+# todo auto restart
+
+let
+  cfg = config.keepalive-ping;
+
+  serviceTemplate = host:
+    {
+      "keepalive-ping@${host}" = {
+        description = "Periodic ping keep alive for ${host} connection";
+
+        requires = [ "network-online.target" ];
+        after = [ "network.target" "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.Restart = "always";
+
+        path = with pkgs; [ iputils ];
+
+        script = ''
+          ping -i ${cfg.delay} ${host} &>/dev/null
+        '';
+      };
+    };
+
+  combineAttrs = foldl recursiveUpdate { };
+
+  serviceList = map serviceTemplate cfg.hosts;
+
+  services = combineAttrs serviceList;
+in
+{
+  options.keepalive-ping = {
+    enable = mkEnableOption "Enable keep alive ping task";
+    hosts = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        Hosts to ping periodically
+      '';
+    };
+    delay = mkOption {
+      type = types.str;
+      default = "60";
+      description = ''
+        Ping interval in seconds of periodic ping per host being pinged
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services = services;
+  };
+}

common/network/tailscale.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tailscale;
+in
+{
+  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
+
+  config.services.tailscale.enable = mkDefault (!config.boot.isContainer);
+
+  # MagicDNS
+  config.networking.nameservers = mkIf cfg.enable [ "1.1.1.1" "8.8.8.8" ];
+  config.networking.search = mkIf cfg.enable [ "koi-bebop.ts.net" ];
+
+  # exit node
+  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
+  config.networking.ip_forward = mkIf cfg.exitNode true;
+}

common/network/vpn.nix

@@ -0,0 +1,109 @@
+{ config, pkgs, lib, allModules, ... }:
+
+with lib;
+
+let
+  cfg = config.vpn-container;
+in
+{
+  options.vpn-container = {
+    enable = mkEnableOption "Enable VPN container";
+
+    containerName = mkOption {
+      type = types.str;
+      default = "vpn";
+      description = ''
+        Name of the VPN container.
+      '';
+    };
+
+    mounts = mkOption {
+      type = types.listOf types.str;
+      default = [ "/var/lib" ];
+      example = "/home/example";
+      description = ''
+        List of mounts on the host to bind to the vpn container.
+      '';
+    };
+
+    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
+
+    config = mkOption {
+      type = types.anything;
+      default = { };
+      example = ''
+        {
+          services.nginx.enable = true;
+        }
+      '';
+      description = ''
+        NixOS config for the vpn container.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    pia.wireguard.enable = !cfg.useOpenVPN;
+    pia.wireguard.forwardPortForTransmission = !cfg.useOpenVPN;
+
+    containers.${cfg.containerName} = {
+      ephemeral = true;
+      autoStart = true;
+
+      bindMounts = mkMerge ([{
+        "/run/agenix" = {
+          hostPath = "/run/agenix";
+          isReadOnly = true;
+        };
+      }] ++ (lists.forEach cfg.mounts (mount:
+        {
+          "${mount}" = {
+            hostPath = mount;
+            isReadOnly = false;
+          };
+        }
+      )));
+
+      enableTun = cfg.useOpenVPN;
+      privateNetwork = true;
+      hostAddress = "172.16.100.1";
+      localAddress = "172.16.100.2";
+
+      config = {
+        imports = allModules ++ [ cfg.config ];
+
+        # speeds up evaluation
+        nixpkgs.pkgs = pkgs;
+
+        # networking.firewall.enable = mkForce false;
+        networking.firewall.trustedInterfaces = [
+          # completely trust internal interface to host
+          "eth0"
+        ];
+
+        pia.openvpn.enable = cfg.useOpenVPN;
+        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
+
+        # TODO fix so it does run it's own resolver again
+        # run it's own DNS resolver
+        networking.useHostResolvConf = false;
+        # services.resolved.enable = true;
+        networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+      };
+    };
+
+    # load secrets the container needs
+    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
+
+    # forwarding for vpn container (only for OpenVPN)
+    networking.nat.enable = mkIf cfg.useOpenVPN true;
+    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
+      "ve-${cfg.containerName}"
+    ];
+    networking.ip_forward = mkIf cfg.useOpenVPN true;
+
+    # assumes only one potential interface
+    networking.usePredictableInterfaceNames = false;
+    networking.nat.externalInterface = "eth0";
+  };
+}

common/network/vpnfailsafe.sh

@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+
+set -eEo pipefail
+
+# $@ := ""
+set_route_vars() {
+    local network_var
+    local -a network_vars; read -ra network_vars <<<"${!route_network_*}"
+    for network_var in "${network_vars[@]}"; do
+        local -i i="${network_var#route_network_}"
+        local -a vars=("route_network_$i" "route_netmask_$i" "route_gateway_$i" "route_metric_$i")
+        route_networks[i]="${!vars[0]}"
+        route_netmasks[i]="${!vars[1]:-255.255.255.255}"
+        route_gateways[i]="${!vars[2]:-$route_vpn_gateway}"
+        route_metrics[i]="${!vars[3]:-0}"
+    done
+}
+
+# Configuration.
+readonly prog="$(basename "$0")"
+readonly private_nets="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+declare -a remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
+read -ra remotes <<<"$(env|grep -oP '^remote_[0-9]+=.*'|sort -n|cut -d= -f2|tr '\n' '\t')"
+read -ra cnf_remote_domains <<<"$(printf '%s\n' "${remotes[@]%%*[0-9]}"|sort -u|tr '\n' '\t')"
+read -ra cnf_remote_ips <<<"$(printf '%s\n' "${remotes[@]##*[!0-9.]*}"|sort -u|tr '\n' '\t')"
+set_route_vars
+read -ra numbered_vars <<<"${!foreign_option_*} ${!proto_*} ${!remote_*} ${!remote_port_*} \
+                           ${!route_network_*} ${!route_netmask_*} ${!route_gateway_*} ${!route_metric_*}"
+readonly numbered_vars "${numbered_vars[@]}" dev ifconfig_local ifconfig_netmask ifconfig_remote \
+         route_net_gateway route_vpn_gateway script_type trusted_ip trusted_port untrusted_ip untrusted_port \
+         remotes cnf_remote_domains cnf_remote_ips route_networks route_netmasks route_gateways route_metrics
+readonly cur_remote_ip="${trusted_ip:-$untrusted_ip}"
+readonly cur_port="${trusted_port:-$untrusted_port}"
+
+# $@ := ""
+update_hosts() {
+    if remote_entries="$(getent -s dns hosts "${cnf_remote_domains[@]}"|grep -v :)"; then
+        local -r beg="# VPNFAILSAFE BEGIN" end="# VPNFAILSAFE END"
+        {
+            sed -e "/^$beg/,/^$end/d" /etc/hosts
+            echo -e "$beg\\n$remote_entries\\n$end"
+        } >/etc/hosts.vpnfailsafe
+        chmod --reference=/etc/hosts /etc/hosts.vpnfailsafe
+        mv /etc/hosts.vpnfailsafe /etc/hosts
+    fi
+}
+
+# $@ := "up" | "down"
+update_routes() {
+    local -a resolved_ips
+    read -ra resolved_ips <<<"$(getent -s files hosts "${cnf_remote_domains[@]:-ENOENT}"|cut -d' ' -f1|tr '\n' '\t' || true)"
+    local -ar remote_ips=("$cur_remote_ip" "${resolved_ips[@]}" "${cnf_remote_ips[@]}")
+    if [[ "$*" == up ]]; then
+        for remote_ip in "${remote_ips[@]}"; do
+            if [[ -n "$remote_ip" && -z "$(ip route show "$remote_ip")" ]]; then
+                ip route add "$remote_ip" via "$route_net_gateway"
+            fi
+        done
+        for net in 0.0.0.0/1 128.0.0.0/1; do
+            if [[ -z "$(ip route show "$net")" ]]; then
+                ip route add "$net" via "$route_vpn_gateway"
+            fi
+        done
+        for i in $(seq 1 "${#route_networks[@]}"); do
+            if [[ -z "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
+                ip route add "${route_networks[i]}/${route_netmasks[i]}" \
+                  via "${route_gateways[i]}" metric "${route_metrics[i]}" dev "$dev"
+            fi
+        done
+    elif [[ "$*" == down ]]; then
+        for route in "${remote_ips[@]}" 0.0.0.0/1 128.0.0.0/1; do
+            if [[ -n "$route" && -n "$(ip route show "$route")" ]]; then
+                ip route del "$route"
+            fi
+        done
+        for i in $(seq 1 "${#route_networks[@]}"); do
+            if [[ -n "$(ip route show "${route_networks[i]}/${route_netmasks[i]}")" ]]; then
+                ip route del "${route_networks[i]}/${route_netmasks[i]}"
+            fi
+        done
+    fi
+}
+
+# $@ := ""
+update_firewall() {
+    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
+    insert_chain() {
+        if iptables -C "$*" -j "VPNFAILSAFE_$*" 2>/dev/null; then
+            iptables -D "$*" -j "VPNFAILSAFE_$*"
+            for opt in F X; do
+                iptables -"$opt" "VPNFAILSAFE_$*"
+            done
+        fi
+        iptables -N "VPNFAILSAFE_$*"
+        iptables -I "$*" -j "VPNFAILSAFE_$*"
+    }
+
+    # $@ := "INPUT" | "OUTPUT"
+    accept_remotes() {
+        case "$@" in
+            INPUT)  local -r icmp_type=reply   io=i sd=s states="";;
+            OUTPUT) local -r icmp_type=request io=o sd=d states=NEW,;;
+        esac
+        local -r public_nic="$(ip route show "$cur_remote_ip"|cut -d' ' -f5)"
+        local -ar suf=(-m conntrack --ctstate "$states"RELATED,ESTABLISHED -"$io" "${public_nic:?}" -j ACCEPT)
+        icmp_rule() {
+            iptables "$1" "$2" -p icmp --icmp-type "echo-$icmp_type" -"$sd" "$3" "${suf[@]/%ACCEPT/RETURN}"
+        }
+        for ((i=1; i <= ${#remotes[*]}; ++i)); do
+            local port="remote_port_$i"
+            local proto="proto_$i"
+            iptables -A "VPNFAILSAFE_$*" -p "${!proto%-client}" -"$sd" "${remotes[i-1]}" --"$sd"port "${!port}" "${suf[@]}"
+            if ! icmp_rule -C "VPNFAILSAFE_$*" "${remotes[i-1]}" 2>/dev/null; then
+                icmp_rule -A "VPNFAILSAFE_$*" "${remotes[i-1]}"
+            fi
+        done
+        if ! iptables -S|grep -q "^-A VPNFAILSAFE_$* .*-$sd $cur_remote_ip/32 .*-j ACCEPT$"; then
+            for p in tcp udp; do
+                iptables -A "VPNFAILSAFE_$*" -p "$p" -"$sd" "$cur_remote_ip" --"$sd"port "${cur_port}" "${suf[@]}"
+            done
+            icmp_rule -A "VPNFAILSAFE_$*" "$cur_remote_ip"
+        fi
+    }
+
+    # $@ := "OUTPUT" | "FORWARD"
+    reject_dns() {
+        for proto in udp tcp; do
+            iptables -A "VPNFAILSAFE_$*" -p "$proto" --dport 53 ! -o "$dev" -j REJECT
+        done
+    }
+
+    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
+    pass_private_nets() { 
+        case "$@" in
+            INPUT) local -r io=i sd=s;;&
+            OUTPUT|FORWARD) local -r io=o sd=d;;&
+            INPUT) local -r vpn="${ifconfig_remote:-$ifconfig_local}/${ifconfig_netmask:-32}"
+               iptables -A "VPNFAILSAFE_$*" -"$sd" "$vpn" -"$io" "$dev" -j RETURN
+               for i in $(seq 1 "${#route_networks[@]}"); do
+                   iptables -A "VPNFAILSAFE_$*" -"$sd" "${route_networks[i]}/${route_netmasks[i]}" -"$io" "$dev" -j RETURN
+               done;;&
+            *) iptables -A "VPNFAILSAFE_$*" -"$sd" "$private_nets" ! -"$io" "$dev" -j RETURN;;&
+            INPUT) iptables -A "VPNFAILSAFE_$*" -s "$private_nets" -i "$dev" -j DROP;;&
+            *) for iface in "$dev" lo+; do
+                   iptables -A "VPNFAILSAFE_$*" -"$io" "$iface" -j RETURN
+               done;;
+        esac
+    }
+
+    # $@ := "INPUT" | "OUTPUT" | "FORWARD"
+    drop_other() {
+        iptables -A "VPNFAILSAFE_$*" -j DROP
+    }
+
+    for chain in INPUT OUTPUT FORWARD; do
+        insert_chain "$chain"
+        [[ $chain == FORWARD ]] || accept_remotes "$chain"
+        [[ $chain == INPUT ]] || reject_dns "$chain"
+        pass_private_nets "$chain"
+        drop_other "$chain"
+    done
+}
+
+# $@ := ""
+cleanup() {
+    update_resolv down
+    update_routes down
+}
+trap cleanup INT TERM
+
+# $@ := line_number exit_code
+err_msg() {
+    echo "$0:$1: \`$(sed -n "$1,+0{s/^\\s*//;p}" "$0")' returned $2" >&2
+    cleanup
+}
+trap 'err_msg "$LINENO" "$?"' ERR
+
+# $@ := ""
+main() {
+    case "${script_type:-down}" in
+        up) for f in hosts routes firewall; do "update_$f" up; done;;
+        down) update_routes down
+              update_resolv down;;
+    esac
+}
+
+main

common/pc/audio.nix

@@ -2,28 +2,23 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
-    # Audio
-    sound.enable = true;
-
     # enable pulseaudio support for packages
     nixpkgs.config.pulseaudio = true;
 
-    # realtime pulseaudio
+    # realtime audio
     security.rtkit.enable = true;
 
-    hardware.pulseaudio = {
+    services.pipewire = {
       enable = true;
-      support32Bit = true;
-      package = pkgs.pulseaudioFull; # bt headset support
-
-      # TODO: switch on connect isn't working for some reason (at least when in kde)
-      extraConfig = "
-        load-module module-switch-on-connect
-        load-module module-switch-on-connect ignore_virtual=no
-      ";
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
     };
+
     users.users.googlebot.extraGroups = [ "audio" ];
 
     # bt headset support

common/pc/chromium.nix

@@ -2,7 +2,55 @@
 
 let
   cfg = config.de;
-in {
+
+  nv-codec-headers-11-1-5-1 = pkgs.stdenv.mkDerivation rec {
+    pname = "nv-codec-headers";
+    version = "11.1.5.1";
+
+    src = pkgs.fetchgit {
+      url = "https://git.videolan.org/git/ffmpeg/nv-codec-headers.git";
+      rev = "n${version}";
+      sha256 = "yTOKLjyYLxT/nI1FBOMwHpkDhfuua3+6Z5Mpb7ZrRhU=";
+    };
+
+    makeFlags = [
+      "PREFIX=$(out)"
+    ];
+  };
+
+  nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
+    pname = "nvidia-vaapi-driver";
+    version = "0.0.5";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "elFarto";
+      repo = pname;
+      rev = "v${version}";
+      sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
+    };
+
+    patches = [
+      ./use-meson-v57.patch
+    ];
+
+    nativeBuildInputs = with pkgs; [
+      meson
+      cmake
+      ninja
+      pkg-config
+    ];
+
+    buildInputs = with pkgs; [
+      nv-codec-headers-11-1-5-1
+      libva
+      gst_all_1.gstreamer
+      gst_all_1.gst-plugins-bad
+      libglvnd
+    ];
+  };
+
+in
+{
   config = lib.mkIf cfg.enable {
     # chromium with specific extensions + settings
     programs.chromium = {
@@ -13,6 +61,9 @@ in {
         "oboonakemofpalcgghocfoadofidjkkk" # keepassxc plugin
         "cimiefiiaegbelhefglklhhakcgmhkai" # plasma integration
         "hkgfoiooedgoejojocmhlaklaeopbecg" # picture in picture
+        "mnjggcdmjocbbbhaepdhchncahnbgone" # SponsorBlock
+        "dhdgffkkebhmkfjojejmpbldmpobfkfo" # Tampermonkey
+        # "ehpdicggenhgapiikfpnmppdonadlnmp" # Disable Scroll Jacking
       ];
       extraOpts = {
         "BrowserSignin" = 0;
@@ -29,17 +80,23 @@ in {
     nixpkgs.config.packageOverrides = pkgs: {
       vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
       chromium = pkgs.chromium.override {
-        gnomeKeyringSupport = true;
         enableWideVine = true;
+        # ungoogled = true;
+        # --enable-native-gpu-memory-buffers # fails on AMD APU
+        # --enable-webrtc-vp9-support
+        commandLineArgs = "--use-vulkan --use-gl=desktop --enable-zero-copy --enable-hardware-overlays --enable-features=VaapiVideoDecoder,CanvasOopRasterization --ignore-gpu-blocklist --enable-accelerated-mjpeg-decode --enable-accelerated-video  --enable-gpu-rasterization";
       };
     };
+    # todo vulkan in chrome
+    # todo video encoding in chrome
     hardware.opengl = {
       enable = true;
       extraPackages = with pkgs; [
         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-        vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-        vaapiVdpau
+        vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+        # vaapiVdpau
         libvdpau-va-gl
+        nvidia-vaapi-driver
       ];
       extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
     };

common/pc/default.nix

@@ -2,20 +2,23 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   imports = [
     ./kde.nix
     ./xfce.nix
     ./yubikey.nix
     ./chromium.nix
-#    ./firefox.nix
+    #    ./firefox.nix
     ./audio.nix
-#    ./torbrowser.nix
+    #    ./torbrowser.nix
     ./pithos.nix
+    ./spotify.nix
     ./vscodium.nix
     ./discord.nix
     ./steam.nix
     ./touchpad.nix
+    ./mount-samba.nix
   ];
 
   options.de = {
@@ -29,7 +32,31 @@ in {
 
     # Applications
     users.users.googlebot.packages = with pkgs; [
-      chromium keepassxc mumble tigervnc bluez-tools vscodium element-desktop mpv
+      chromium
+      keepassxc
+      mumble
+      tigervnc
+      bluez-tools
+      vscodium
+      element-desktop
+      mpv
+      nextcloud-client
+      signal-desktop
+      minecraft
+      gparted
+      libreoffice-fresh
+      thunderbird
+      spotifyd
+      spotify-qt
+      arduino
+      yt-dlp
+      jellyfin-media-player
+      joplin-desktop
+      config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
+
+      # For Nix IDE
+      nixpkgs-fmt
+      rnix-lsp
     ];
 
     # Networking
@@ -38,6 +65,14 @@ in {
 
     # Printing
     services.printing.enable = true;
+    services.printing.drivers = with pkgs; [
+      gutenprint
+    ];
+    # Printer discovery
+    services.avahi.enable = true;
+    services.avahi.nssmdns = true;
+
+    programs.file-roller.enable = true;
 
     # Security
     services.gnome.gnome-keyring.enable = true;

common/pc/discord.nix

@@ -2,10 +2,11 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     users.users.googlebot.packages = [
       pkgs.discord
     ];
   };
-}
+}

common/pc/firefox.nix

@@ -20,7 +20,7 @@ let
   };
 
   firefox = pkgs.wrapFirefox somewhatPrivateFF {
-   desktopName = "Sneed Browser";
+    desktopName = "Sneed Browser";
 
     nixExtensions = [
       (pkgs.fetchFirefoxAddon {
@@ -71,8 +71,8 @@ let
         TopSites = false;
       };
       UserMessaging = {
-         ExtensionRecommendations = false;
-         SkipOnboarding = true;
+        ExtensionRecommendations = false;
+        SkipOnboarding = true;
       };
       WebsiteFilter = {
         Block = [
@@ -92,4 +92,4 @@ in
   config = lib.mkIf cfg.enable {
     users.users.googlebot.packages = [ firefox ];
   };
-}
+}

common/pc/kde.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     # kde plasma
     services.xserver = {
@@ -14,7 +15,10 @@ in {
     # kde apps
     nixpkgs.config.firefox.enablePlasmaBrowserIntegration = true;
     users.users.googlebot.packages = with pkgs; [
-      akonadi kmail plasma5Packages.kmail-account-wizard
+      # akonadi
+      # kmail
+      # plasma5Packages.kmail-account-wizard
+      kate
     ];
-  };  
+  };
 }

common/pc/mount-samba.nix

@@ -0,0 +1,48 @@
+# mounts the samba share on s0 over tailscale
+
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.mount-samba;
+
+  # prevents hanging on network split and other similar niceties to ensure a stable connection
+  network_opts = "nostrictsync,cache=strict,handlecache,handletimeout=30000,rwpidforward,mapposix,soft,resilienthandles,echo_interval=10,noblocksend,fsc";
+
+  systemd_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+  user_opts = "uid=${toString config.users.users.googlebot.uid},file_mode=0660,dir_mode=0770,user";
+  auth_opts = "sec=ntlmv2i,credentials=/run/agenix/smb-secrets";
+  version_opts = "vers=3.1.1";
+
+  opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
+in
+{
+  options.services.mount-samba = {
+    enable = lib.mkEnableOption "enable mounting samba shares";
+  };
+
+  config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
+    fileSystems."/mnt/public" = {
+      device = "//s0.koi-bebop.ts.net/public";
+      fsType = "cifs";
+      options = [ opts ];
+    };
+
+    fileSystems."/mnt/private" = {
+      device = "//s0.koi-bebop.ts.net/googlebot";
+      fsType = "cifs";
+      options = [ opts ];
+    };
+
+    age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
+
+    environment.shellAliases = {
+      # remount storage
+      remount_public = "sudo systemctl restart mnt-public.mount";
+      remount_private = "sudo systemctl restart mnt-private.mount";
+
+      # Encrypted Vault
+      vault_unlock = "${pkgs.gocryptfs}/bin/gocryptfs /mnt/private/.vault/ /mnt/vault/";
+      vault_lock = "umount /mnt/vault/";
+    };
+  };
+}

common/pc/pithos.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [
       (self: super: {
@@ -11,7 +12,7 @@ in {
           version = "1.5.1";
           src = super.fetchFromGitHub {
             owner = pname;
-            repo  = pname;
+            repo = pname;
             rev = version;
             sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
           };

common/pc/spotify.nix

@@ -0,0 +1,86 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.spotifyd;
+  toml = pkgs.formats.toml { };
+  spotifydConf = toml.generate "spotify.conf" cfg.settings;
+in
+{
+  disabledModules = [
+    "services/audio/spotifyd.nix"
+  ];
+
+  options = {
+    services.spotifyd = {
+      enable = mkEnableOption "spotifyd, a Spotify playing daemon";
+
+      settings = mkOption {
+        default = { };
+        type = toml.type;
+        example = { global.bitrate = 320; };
+        description = ''
+          Configuration for Spotifyd. For syntax and directives, see
+          <link xlink:href="https://github.com/Spotifyd/spotifyd#Configuration"/>.
+        '';
+      };
+
+      users = mkOption {
+        type = with types; listOf str;
+        default = [ ];
+        description = ''
+          Usernames to be added to the "spotifyd" group, so that they
+          can start and interact with the userspace daemon.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    # username specific stuff because i'm lazy...
+    services.spotifyd.users = [ "googlebot" ];
+    users.users.googlebot.packages = with pkgs; [
+      spotify
+      spotify-tui
+    ];
+
+    users.groups.spotifyd = {
+      members = cfg.users;
+    };
+
+    age.secrets.spotifyd = {
+      file = ../../secrets/spotifyd.age;
+      group = "spotifyd";
+      mode = "0440"; # group can read
+    };
+
+    # spotifyd to read secrets and run as user service
+    services.spotifyd = {
+      settings.global = {
+        username_cmd = "sed '1q;d' /run/agenix/spotifyd";
+        password_cmd = "sed '2q;d' /run/agenix/spotifyd";
+        bitrate = 320;
+        backend = "pulseaudio";
+        device_name = config.networking.hostName;
+        device_type = "computer";
+        # on_song_change_hook = "command_to_run_on_playback_events"
+        autoplay = true;
+      };
+    };
+
+    systemd.user.services.spotifyd-daemon = {
+      enable = true;
+      wantedBy = [ "graphical-session.target" ];
+      partOf = [ "graphical-session.target" ];
+      description = "spotifyd, a Spotify playing daemon";
+      environment.SHELL = "/bin/sh";
+      serviceConfig = {
+        ExecStart = "${pkgs.spotifyd}/bin/spotifyd --no-daemon --config-path ${spotifydConf}";
+        Restart = "always";
+        CacheDirectory = "spotifyd";
+      };
+    };
+  };
+}

common/pc/steam.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     programs.steam.enable = true;
     hardware.steam-hardware.enable = true; # steam controller
@@ -11,4 +12,4 @@ in {
       pkgs.steam
     ];
   };
-}
+}

common/pc/torbrowser.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [
       (self: super: {

common/pc/touchpad.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de.touchpad;
-in {
+in
+{
   options.de.touchpad = {
     enable = lib.mkEnableOption "enable touchpad";
   };

common/pc/use-meson-v57.patch

@@ -0,0 +1,22 @@
+diff --git a/meson.build b/meson.build
+index dace367..8c0e290 100644
+--- a/meson.build
++++ b/meson.build
+@@ -8,7 +8,7 @@ project(
+         'warning_level=0',
+     ],
+     license: 'MIT',
+-    meson_version: '>= 0.58.0',
++    meson_version: '>= 0.57.0',
+ )
+ 
+ cc = meson.get_compiler('c')
+@@ -47,8 +47,3 @@ shared_library(
+     gnu_symbol_visibility: 'hidden',
+ )
+ 
+-meson.add_devenv(environment({
+-    'NVD_LOG': '1',
+-    'LIBVA_DRIVER_NAME': 'nvidia',
+-    'LIBVA_DRIVERS_PATH': meson.project_build_root(),
+-}))

common/pc/vscodium.nix

@@ -4,8 +4,8 @@ let
   cfg = config.de;
 
   extensions = with pkgs.vscode-extensions; [
-    bbenoist.Nix # nix syntax support
-#    arrterian.nix-env-selector  # nix dev envs
+    #    bbenoist.Nix # nix syntax support
+    #    arrterian.nix-env-selector  # nix dev envs
   ];
 
   vscodium-with-extensions = pkgs.vscode-with-extensions.override {

common/pc/xfce.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     services.xserver = {
       enable = true;
@@ -14,7 +15,9 @@ in {
     };
 
     # xfce apps
-    users.users.googlebot.packages = with pkgs; [
+    # TODO for some reason whiskermenu needs to be global for it to work
+    environment.systemPackages = with pkgs; [
+      xfce.xfce4-whiskermenu-plugin
     ];
   };
 }

common/pc/yubikey.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.de;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     # yubikey
     services.pcscd.enable = true;

common/pia.nix

@@ -1,98 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.pia;
-in
-{
-  options.pia = {
-    enable = lib.mkEnableOption "Enable private internet access";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.openvpn = {
-      servers = {
-        us-east = {
-          config = ''
-client
-dev tun
-proto udp
-remote us-washingtondc.privacy.network 1198
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-cipher aes-128-cbc
-auth sha1
-tls-client
-remote-cert-tls server
-
-auth-user-pass
-compress
-verb 1
-reneg-sec 0
-<crl-verify>
------BEGIN X509 CRL-----
-MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
-EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
-cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
-HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
-ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
-aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
-MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
-9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
-jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
-B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
-ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
-5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
-MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
------END X509 CRL-----
-</crl-verify>
-
-<ca>
------BEGIN CERTIFICATE-----
-MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
-BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
-dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
-IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
-FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
-MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
-EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
-QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
-AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
-ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
-bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
-L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
-lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
-cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
-8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
-/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
-OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
-y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
-sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
-b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
-A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
-SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
-czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
-b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
-a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
-ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
-7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
-GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
-1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
-YDQ8z9v+DMO6iwyIDRiU
------END CERTIFICATE-----
-</ca>
-
-disable-occ
-auth-user-pass /run/secrets/pia-login.conf
-          '';
-          autoStart = true;
-          up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
-          down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
-        };
-      };
-    };
-    age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
-  };
-}

common/server/ceph.nix

@@ -3,13 +3,13 @@
 with lib;
 let
   cfg = config.ceph;
-in {
-  options.ceph = {
-  };
+in
+{
+  options.ceph = { };
 
   config = mkIf cfg.enable {
     # ceph.enable = true;
-    
+
     ## S3 Object gateway
     #ceph.rgw.enable = true;
     #ceph.rgw.daemons = [
@@ -40,4 +40,4 @@ in {
     ceph.global.fsid = "925773DC-D95F-476C-BBCD-08E01BF0865F";
 
   };
-}
+}

common/server/default.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./nginx.nix
+    ./thelounge.nix
+    ./mumble.nix
+    ./icecast.nix
+    ./nginx-stream.nix
+    ./matrix.nix
+    ./zerobin.nix
+    ./gitea.nix
+    ./gitea-runner.nix
+    ./privatebin/privatebin.nix
+    ./radio.nix
+    ./samba.nix
+    ./owncast.nix
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./iodine.nix
+    ./searx.nix
+  ];
+}

common/server/gitea-runner.nix

@@ -0,0 +1,98 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.gitea-runner;
+in
+{
+  options.services.gitea-runner = {
+    enable = lib.mkEnableOption "Enables gitea runner";
+    dataDir = lib.mkOption {
+      default = "/var/lib/gitea-runner";
+      type = lib.types.str;
+      description = lib.mdDoc "gitea runner data directory.";
+    };
+    instanceUrl = lib.mkOption {
+      type = lib.types.str;
+    };
+    registrationTokenFile = lib.mkOption {
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+
+    users.users.gitea-runner = {
+      description = "Gitea Runner Service";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+      extraGroups = [
+        "docker" # allow creating docker containers
+      ];
+    };
+    users.groups.gitea-runner = { };
+
+    # registration token
+    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
+    age.secrets.gitea-runner-registration-token = {
+      file = ../../secrets/gitea-runner-registration-token.age;
+      owner = "gitea-runner";
+    };
+
+    systemd.services.gitea-runner = {
+      description = "Gitea Runner";
+
+      serviceConfig = {
+        WorkingDirectory = cfg.dataDir;
+        User = "gitea-runner";
+        Group = "gitea-runner";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ gitea-actions-runner ];
+
+      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
+      script = ''
+        . ${cfg.registrationTokenFile}
+
+        if [[ ! -s .runner ]]; then
+          try=$((try + 1))
+          success=0
+
+          LOGFILE="$(mktemp)"
+
+          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
+          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
+          # the context of a single docker-compose, something similar could be done via healthchecks, but
+          # this is more flexible.
+          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
+            act_runner register \
+              --instance "${cfg.instanceUrl}" \
+              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
+              --name     "${config.networking.hostName}" \
+              --no-interactive > $LOGFILE 2>&1
+
+            cat $LOGFILE
+
+            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
+            if [[ $? -eq 0 ]]; then
+              echo "SUCCESS"
+              success=1
+            else
+              echo "Waiting to retry ..."
+              sleep 5
+            fi
+          done
+        fi
+
+        exec act_runner daemon
+      '';
+    };
+  };
+}

common/server/gitea.nix

@@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, pkgs, config, ... }:
 
 let
   cfg = config.services.gitea;
-in {
+in
+{
   options.services.gitea = {
     hostname = lib.mkOption {
       type = lib.types.str;
@@ -14,17 +15,46 @@ in {
       domain = cfg.hostname;
       rootUrl = "https://${cfg.hostname}/";
       appName = cfg.hostname;
-      ssh.enable = true;
       # lfs.enable = true;
-      dump.enable = true;
-      cookieSecure = true;
-      disableRegistration = true;
+      # dump.enable = true;
       settings = {
         other = {
           SHOW_FOOTER_VERSION = false;
         };
+        ui = {
+          DEFAULT_THEME = "arc-green";
+        };
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        session = {
+          COOKIE_SECURE = true;
+        };
+        mailer = {
+          ENABLED = true;
+          MAILER_TYPE = "smtp";
+          SMTP_ADDR = "mail.neet.dev";
+          SMTP_PORT = "465";
+          IS_TLS_ENABLED = true;
+          USER = "robot@runyan.org";
+          FROM = "no-reply@neet.dev";
+        };
+        actions = {
+          ENABLED = true;
+        };
       };
+      mailerPasswordFile = "/run/agenix/robots-email-pw";
     };
+    age.secrets.robots-email-pw = {
+      file = ../../secrets/robots-email-pw.age;
+      owner = config.services.gitea.user;
+    };
+
+    # backups
+    backup.group."gitea".paths = [
+      config.services.gitea.stateDir
+    ];
+
     services.nginx.enable = true;
     services.nginx.virtualHosts.${cfg.hostname} = {
       enableACME = true;
@@ -34,4 +64,4 @@ in {
       };
     };
   };
-}
+}

common/server/hydra.nix

@@ -20,6 +20,6 @@ in
     hydraURL = "https://${domain}";
     useSubstitutes = true;
     notificationSender = notifyEmail;
-    buildMachinesFiles = [];
+    buildMachinesFiles = [ ];
   };
-}
+}

common/server/icecast.nix

@@ -7,7 +7,8 @@
 
 let
   cfg = config.services.icecast;
-in {
+in
+{
   options.services.icecast = {
     mount = lib.mkOption {
       type = lib.types.str;
@@ -17,11 +18,13 @@ in {
       type = lib.types.str;
       example = "fallback.mp3";
     };
+    nginx = lib.mkEnableOption "enable nginx";
   };
 
   config = lib.mkIf cfg.enable {
     services.icecast = {
-      listen.address = "127.0.0.1";
+      listen.address = "0.0.0.0";
+      listen.port = 8001;
       admin.password = "hackme";
       extraConf = ''
         <authentication>
@@ -48,7 +51,7 @@ in {
         </mount>
       '';
     };
-    services.nginx.virtualHosts.${cfg.hostname} = {
+    services.nginx.virtualHosts.${cfg.hostname} = lib.mkIf cfg.nginx {
       enableACME = true;
       forceSSL = true;
       locations."/${cfg.mount}" = {

common/server/iodine.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.iodine.server;
+in
+{
+  config = lib.mkIf cfg.enable {
+    # iodine DNS-based vpn
+    services.iodine.server = {
+      ip = "192.168.99.1";
+      domain = "tun.neet.dev";
+      passwordFile = "/run/agenix/iodine";
+    };
+    age.secrets.iodine.file = ../../secrets/iodine.age;
+    networking.firewall.allowedUDPPorts = [ 53 ];
+
+    networking.nat.internalInterfaces = [
+      "dns0" # iodine
+    ];
+  };
+}

common/server/mailserver.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+
+let
+  cfg = config.mailserver;
+  domains = [
+    "neet.space"
+    "neet.dev"
+    "neet.cloud"
+    "runyan.org"
+    "runyan.rocks"
+    "thunderhex.com"
+    "tar.ninja"
+    "bsd.ninja"
+    "bsd.rocks"
+  ];
+in
+{
+  config = lib.mkIf cfg.enable {
+    # kresd doesn't work with tailscale MagicDNS
+    mailserver.localDnsResolver = false;
+    services.resolved.enable = true;
+
+    mailserver = {
+      fqdn = "mail.neet.dev";
+      dkimKeyBits = 2048;
+      indexDir = "/var/lib/mailindex";
+      enableManageSieve = true;
+      fullTextSearch.enable = true;
+      fullTextSearch.indexAttachments = true;
+      fullTextSearch.memoryLimit = 500;
+      inherit domains;
+      loginAccounts = {
+        "jeremy@runyan.org" = {
+          hashedPasswordFile = "/run/agenix/hashed-email-pw";
+          # catchall for all domains
+          aliases = map (domain: "@${domain}") domains;
+        };
+        "robot@runyan.org" = {
+          aliases = [
+            "no-reply@neet.dev"
+            "robot@neet.dev"
+          ];
+          sendOnly = true;
+          hashedPasswordFile = "/run/agenix/hashed-robots-email-pw";
+        };
+      };
+      rejectRecipients = [
+        "george@runyan.org"
+        "joslyn@runyan.org"
+        "damon@runyan.org"
+        "jonas@runyan.org"
+      ];
+      certificateScheme = 3; # use let's encrypt for certs
+    };
+    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
+    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
+
+    # sendmail to use xxx@domain instead of xxx@mail.domain
+    services.postfix.origin = "$mydomain";
+
+    # relay sent mail through mailgun
+    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
+    services.postfix.config = {
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "noanonymous";
+      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
+      smtp_use_tls = "yes";
+      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
+      smtp_sender_dependent_authentication = "yes";
+    };
+    services.postfix.mapFiles.sender_relay =
+      let
+        relayHost = "[smtp.mailgun.org]:587";
+      in
+      pkgs.writeText "sender_relay"
+        (concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
+    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
+    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
+
+    # webmail
+    services.nginx.enable = true;
+    services.roundcube = {
+      enable = true;
+      hostName = config.mailserver.fqdn;
+      extraConfig = ''
+        # starttls needed for authentication, so the fqdn required to match the certificate
+        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+    };
+
+    # backups
+    backup.group."email".paths = [
+      config.mailserver.mailDirectory
+    ];
+  };
+}

common/server/matrix.nix

@@ -3,7 +3,8 @@
 let
   cfg = config.services.matrix;
   certs = config.security.acme.certs;
-in {
+in
+{
   options.services.matrix = {
     enable = lib.mkEnableOption "enable matrix";
     element-web = {
@@ -59,23 +60,25 @@ in {
   config = lib.mkIf cfg.enable {
     services.matrix-synapse = {
       enable = true;
-      server_name = cfg.host;
-      enable_registration = cfg.enable_registration;
-      listeners = [ {
-        bind_address = "127.0.0.1";
-        port = cfg.port;
-        tls = false;
-        resources = [ {
-          compress = true;
-          names = [ "client" "webclient" "federation" ];
-        } ];
-      } ];
-      turn_uris = [
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
-        "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
-      ];
-      turn_shared_secret = cfg.turn.secret;
-      turn_user_lifetime = "1h";
+      settings = {
+        server_name = cfg.host;
+        enable_registration = cfg.enable_registration;
+        listeners = [{
+          bind_addresses = [ "127.0.0.1" ];
+          port = cfg.port;
+          tls = false;
+          resources = [{
+            compress = true;
+            names = [ "client" "federation" ];
+          }];
+        }];
+        turn_uris = [
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
+          "turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
+        ];
+        turn_shared_secret = cfg.turn.secret;
+        turn_user_lifetime = "1h";
+      };
     };
 
     services.coturn = {
@@ -118,7 +121,7 @@ in {
     services.nginx = {
       enable = true;
 
-      virtualHosts.${cfg.host} =  {
+      virtualHosts.${cfg.host} = {
         enableACME = true;
         forceSSL = true;
         listen = [
@@ -135,7 +138,8 @@ in {
         ];
         locations."/".proxyPass = "http://localhost:${toString cfg.port}";
       };
-      virtualHosts.${cfg.turn.host} =  { # get TLS cert for TURN server
+      virtualHosts.${cfg.turn.host} = {
+        # get TLS cert for TURN server
         enableACME = true;
         forceSSL = true;
       };
@@ -184,26 +188,32 @@ in {
           min = 5;
           max = 30;
         };
-        startScreenSharing = true;
+        # startScreenSharing = true;
         videoQuality = {
           disabledCodec = "VP8";
           preferredCodec = "H264";
           enforcePreferredCodec = true;
         };
-        p2p = {
-          enabled = true;
-          preferH264 = true;
-          disabledCodec = "VP8";
-          preferredCodec = "H264";
-          disableH264 = false;
-        };
+        # p2p = {
+        #   enabled = true;
+        #   preferH264 = true;
+        #   disabledCodec = "VP8";
+        #   preferredCodec = "H264";
+        #   disableH264 = false;
+        # };
         requireDisplayName = false;
         disableThirdPartyRequests = true;
-        localRecording = {
-          enabled = false;
-        };
+        localRecording.enabled = false;
         doNotStoreRoom = true;
       };
+      interfaceConfig = {
+        SHOW_JITSI_WATERMARK = false;
+        SHOW_WATERMARK_FOR_GUESTS = false;
+      };
+    };
+    services.jitsi-videobridge = lib.mkIf cfg.jitsi-meet.enable {
+      enable = true;
+      openFirewall = true;
     };
   };
-}
+}

common/server/mumble.nix

@@ -3,7 +3,8 @@
 let
   cfg = config.services.murmur;
   certs = config.security.acme.certs;
-in {
+in
+{
   options.services.murmur.domain = lib.mkOption {
     type = lib.types.str;
   };

common/server/nextcloud.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.services.nextcloud;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.nextcloud = {
+      https = true;
+      package = pkgs.nextcloud25;
+      hostName = "neet.cloud";
+      config.dbtype = "sqlite";
+      config.adminuser = "jeremy";
+      config.adminpassFile = "/run/agenix/nextcloud-pw";
+      autoUpdateApps.enable = true;
+      enableBrokenCiphersForSSE = false;
+    };
+    age.secrets.nextcloud-pw = {
+      file = ../../secrets/nextcloud-pw.age;
+      owner = "nextcloud";
+    };
+
+    # backups
+    backup.group."nextcloud".paths = [
+      config.services.nextcloud.home
+    ];
+
+    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}

common/server/nginx-stream.nix

@@ -5,7 +5,8 @@ let
   nginxWithRTMP = pkgs.nginx.override {
     modules = [ pkgs.nginxModules.rtmp ];
   };
-in {
+in
+{
   options.services.nginx.stream = {
     enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
     port = lib.mkOption {
@@ -51,7 +52,7 @@ in {
       appendConfig = ''
         rtmp {
           server {
-            listen 1935;
+            listen ${toString cfg.port};
             chunk_size 4096;
             application ${cfg.rtmpName} {
               allow publish all;
@@ -72,4 +73,4 @@ in {
       cfg.port
     ];
   };
-}
+}

common/server/nginx.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.services.nginx;
-in {
+in
+{
   config = lib.mkIf cfg.enable {
     services.nginx = {
       recommendedGzipSettings = true;
@@ -13,4 +14,4 @@ in {
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
   };
-}
+}

common/server/owncast.nix

@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+
+with lib;
+
+let
+  cfg = config.services.owncast;
+in
+{
+  options.services.owncast = {
+    hostname = lib.mkOption {
+      type = types.str;
+      example = "example.com";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.owncast.listen = "127.0.0.1";
+    services.owncast.port = 62419; # random port
+
+    networking.firewall.allowedTCPPorts = [ cfg.rtmp-port ];
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

common/server/privatebin/privatebin.nix

@@ -14,7 +14,8 @@ let
       cp -ar $src $out
     '';
   };
-in {
+in
+{
   options.services.privatebin = {
     enable = lib.mkEnableOption "enable privatebin";
     host = lib.mkOption {
@@ -30,7 +31,7 @@ in {
       group = "privatebin";
       isSystemUser = true;
     };
-    users.groups.privatebin = {};
+    users.groups.privatebin = { };
 
     services.nginx.enable = true;
     services.nginx.virtualHosts.${cfg.host} = {
@@ -53,7 +54,7 @@ in {
       "d '/var/lib/privatebin' 0750 privatebin privatebin - -"
     ];
 
-    services.phpfpm.pools.privatebin = {                                                                                                                                                                                                             
+    services.phpfpm.pools.privatebin = {
       user = "privatebin";
       group = "privatebin";
       phpEnv = {

common/server/radio.nix

@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.radio;
+  radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
+in
+{
+  options.services.radio = {
+    enable = lib.mkEnableOption "enable radio";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "radio";
+      description = ''
+        The user radio should run as
+      '';
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "radio";
+      description = ''
+        The group radio should run as
+      '';
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/radio";
+      description = ''
+        Path to the radio data directory
+      '';
+    };
+    host = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        Domain radio is hosted on
+      '';
+    };
+    nginx = lib.mkEnableOption "enable nginx";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.icecast = {
+      enable = true;
+      hostname = cfg.host;
+      mount = "stream.mp3";
+      fallback = "fallback.mp3";
+    };
+
+    services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".root = config.inputs.radio-web;
+    };
+
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.dataDir;
+      createHome = true;
+    };
+    users.groups.${cfg.group} = { };
+    systemd.services.radio = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
+      serviceConfig.User = cfg.user;
+      serviceConfig.Group = cfg.group;
+      serviceConfig.WorkingDirectory = cfg.dataDir;
+      preStart = ''
+        mkdir -p ${cfg.dataDir}
+        chown ${cfg.user} ${cfg.dataDir}
+      '';
+    };
+  };
+}

common/server/samba.nix

@@ -0,0 +1,120 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.services.samba.enable {
+    services.samba = {
+      openFirewall = true;
+      package = pkgs.sambaFull; # printer sharing
+      securityType = "user";
+
+      # should this be on?
+      nsswins = true;
+
+      extraConfig = ''
+        workgroup = HOME
+        server string = smbnix
+        netbios name = smbnix
+        security = user 
+        use sendfile = yes
+        min protocol = smb2
+        guest account = nobody
+        map to guest = bad user
+
+        # printing
+        load printers = yes
+        printing = cups
+        printcap name = cups
+
+        hide files = /.nobackup/.DS_Store/._.DS_Store/
+      '';
+
+      shares = {
+        public = {
+          path = "/data/samba/Public";
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "public_data";
+          "force group" = "public_data";
+        };
+        googlebot = {
+          path = "/data/samba/googlebot";
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "valid users" = "googlebot";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "googlebot";
+          "force group" = "users";
+        };
+        cris = {
+          path = "/data/samba/cris";
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "valid users" = "cris";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+          "force user" = "root";
+          "force group" = "users";
+        };
+        printers = {
+          comment = "All Printers";
+          path = "/var/spool/samba";
+          public = "yes";
+          browseable = "yes";
+          # to allow user 'guest account' to print.
+          "guest ok" = "yes";
+          writable = "no";
+          printable = "yes";
+          "create mode" = 0700;
+        };
+      };
+    };
+
+    # backups
+    backup.group."samba".paths = [
+      config.services.samba.shares.googlebot.path
+      config.services.samba.shares.cris.path
+      config.services.samba.shares.public.path
+    ];
+
+    # Windows discovery of samba server
+    services.samba-wsdd = {
+      enable = true;
+
+      # are these needed?
+      workgroup = "HOME";
+      hoplimit = 3;
+      discovery = true;
+    };
+    networking.firewall.allowedTCPPorts = [ 5357 ];
+    networking.firewall.allowedUDPPorts = [ 3702 ];
+
+    # Printer discovery
+    # (is this needed?)
+    services.avahi.enable = true;
+    services.avahi.nssmdns = true;
+
+    # printer sharing
+    systemd.tmpfiles.rules = [
+      "d /var/spool/samba 1777 root root -"
+    ];
+
+    users.groups.public_data.gid = 994;
+    users.users.public_data = {
+      isSystemUser = true;
+      group = "public_data";
+      uid = 994;
+    };
+    users.users.googlebot.extraGroups = [ "public_data" ];
+
+    # samba user for share
+    users.users.cris.isSystemUser = true;
+    users.users.cris.group = "cris";
+    users.groups.cris = { };
+  };
+}

common/server/searx.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.searx;
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.searx = {
+      environmentFile = "/run/agenix/searx";
+      settings = {
+        server.port = 43254;
+        server.secret_key = "@SEARX_SECRET_KEY@";
+        engines = [{
+          name = "wolframalpha";
+          shortcut = "wa";
+          api_key = "@WOLFRAM_API_KEY@";
+          engine = "wolframalpha_api";
+        }];
+      };
+    };
+    services.nginx.virtualHosts."search.neet.space" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
+      };
+    };
+    age.secrets.searx.file = ../../secrets/searx.age;
+  };
+}

common/server/thelounge.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.services.thelounge;
-in {
+in
+{
   options.services.thelounge = {
     fileUploadBaseUrl = lib.mkOption {
       type = lib.types.str;
@@ -23,12 +24,12 @@ in {
 
   config = lib.mkIf cfg.enable {
     services.thelounge = {
-      private = true;
+      public = false;
       extraConfig = {
         reverseProxy = true;
         maxHistory = -1;
         https.enable = false;
-  #      theme = "thelounge-theme-solarized";
+        #      theme = "thelounge-theme-solarized";
         prefetch = false;
         prefetchStorage = false;
         fileUpload = {
@@ -42,6 +43,10 @@ in {
       };
     };
 
+    backup.group."thelounge".paths = [
+      "/var/lib/thelounge/"
+    ];
+
     # the lounge client
     services.nginx.virtualHosts.${cfg.host} = {
       enableACME = true;

common/server/video-stream.nix

@@ -15,14 +15,14 @@ let
 in
 {
   networking.firewall.allowedUDPPorts = [ rtp-port ];
-  networking.firewall.allowedTCPPortRanges = [ {
+  networking.firewall.allowedTCPPortRanges = [{
     from = webrtc-peer-lower-port;
     to = webrtc-peer-upper-port;
-  } ];
-  networking.firewall.allowedUDPPortRanges = [ { 
+  }];
+  networking.firewall.allowedUDPPortRanges = [{
     from = webrtc-peer-lower-port;
     to = webrtc-peer-upper-port;
-  } ];
+  }];
 
   virtualisation.docker.enable = true;
 
@@ -49,12 +49,12 @@ in
         ports = [
           "${toStr ingest-port}:8084"
         ];
-#        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/ingest";
-#          finalImageTag = "version-0.1.4";
-#          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
-#          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
-#        };
+        #        imageFile = pkgs.dockerTools.pullImage {
+        #          imageName = "projectlightspeed/ingest";
+        #          finalImageTag = "version-0.1.4";
+        #          imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
+        #          sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
+        #        };
       };
       "lightspeed-react" = {
         workdir = "/var/lib/lightspeed-react";
@@ -62,12 +62,12 @@ in
         ports = [
           "${toStr web-port}:80"
         ];
-#        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/react";
-#          finalImageTag = "version-0.1.3";
-#          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
-#          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
-#        };
+        #        imageFile = pkgs.dockerTools.pullImage {
+        #          imageName = "projectlightspeed/react";
+        #          finalImageTag = "version-0.1.3";
+        #          imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
+        #          sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
+        #        };
       };
       "lightspeed-webrtc" = {
         workdir = "/var/lib/lightspeed-webrtc";
@@ -79,15 +79,18 @@ in
           "${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
         ];
         cmd = [
-          "lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
-          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
+          "lightspeed-webrtc"
+          "--addr=0.0.0.0"
+          "--ip=${domain}"
+          "--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
+          "run"
         ];
-#        imageFile = pkgs.dockerTools.pullImage {
-#          imageName = "projectlightspeed/webrtc";
-#          finalImageTag = "version-0.1.2";
-#          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
-#          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
-#        };
+        #        imageFile = pkgs.dockerTools.pullImage {
+        #          imageName = "projectlightspeed/webrtc";
+        #          finalImageTag = "version-0.1.2";
+        #          imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
+        #          sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
+        #        };
       };
     };
   };

common/server/vscode/modules/vscode-server/default.nix

@@ -1,8 +1,8 @@
 import ./module.nix ({ name, description, serviceConfig }:
 
-{
-  systemd.user.services.${name} = {
-    inherit description serviceConfig;
-    wantedBy = [ "default.target" ];
-  };
-})
+  {
+    systemd.user.services.${name} = {
+      inherit description serviceConfig;
+      wantedBy = [ "default.target" ];
+    };
+  })

common/server/vscode/modules/vscode-server/home.nix

@@ -1,15 +1,15 @@
 import ./module.nix ({ name, description, serviceConfig }:
 
-{
-  systemd.user.services.${name} = {
-    Unit = {
-      Description = description;
-    };
+  {
+    systemd.user.services.${name} = {
+      Unit = {
+        Description = description;
+      };
 
-    Service = serviceConfig;
+      Service = serviceConfig;
 
-    Install = {
-      WantedBy = [ "default.target" ];
+      Install = {
+        WantedBy = [ "default.target" ];
+      };
     };
-  };
-})
+  })

common/server/zerobin.nix

@@ -2,7 +2,8 @@
 
 let
   cfg = config.services.zerobin;
-in {
+in
+{
   options.services.zerobin = {
     host = lib.mkOption {
       type = lib.types.str;

common/shell.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+# Improvements to the default shell
+# - use nix-index for command-not-found
+# - disable fish's annoying greeting message
+# - add some handy shell commands
+
+{
+  environment.systemPackages = with pkgs; [
+    comma
+  ];
+
+  # nix-index
+  programs.nix-index.enable = true;
+  programs.nix-index.enableFishIntegration = true;
+  programs.command-not-found.enable = false;
+
+  programs.fish = {
+    enable = true;
+
+    shellInit = ''
+      # disable annoying fish shell greeting
+      set fish_greeting
+
+      alias sudo="doas"
+    '';
+  };
+
+  environment.shellAliases = {
+    myip = "dig +short myip.opendns.com @resolver1.opendns.com";
+
+    # https://linuxreviews.org/HOWTO_Test_Disk_I/O_Performance
+    io_seq_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=read --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_seq_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=write --size=2g --io_size=10g --blocksize=1024k --ioengine=libaio --fsync=10000 --iodepth=32 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_read = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randread --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=32 --runtime=60 --group_reporting; rm temp.file";
+    io_rand_write = "${pkgs.fio}/bin/fio --name TEST --eta-newline=5s --filename=temp.file --rw=randrw --size=2g --io_size=10g --blocksize=4k --ioengine=libaio --fsync=1 --iodepth=1 --direct=1 --numjobs=1 --runtime=60 --group_reporting; rm temp.file";
+  };
+
+  nixpkgs.overlays = [
+    (final: prev: {
+      # comma uses the "nix-index" package built into nixpkgs by default.
+      # That package doesn't use the prebuilt nix-index database so it needs to be changed.
+      comma = prev.comma.overrideAttrs (old: {
+        postInstall = ''
+          wrapProgram $out/bin/comma \
+            --prefix PATH : ${lib.makeBinPath [ prev.fzy config.programs.nix-index.package ]}
+          ln -s $out/bin/comma $out/bin/,
+        '';
+      });
+    })
+  ];
+}

common/ssh.nix

@@ -1,15 +1,38 @@
-rec {
-  users = [
+{ config, lib, pkgs, ... }:
+
+{
+  programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
+    (host: cfg: {
+      ${host} = {
+        hostNames = cfg.hostNames;
+        publicKey = cfg.hostKey;
+      };
+      "${host}-remote-unlock" =
+        if cfg.remoteUnlock != null then {
+          hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
+          publicKey = cfg.remoteUnlock.hostKey;
+        } else null;
+    })
+    config.machines.hosts);
+
+  # prebuilt cmds for easy ssh LUKS unlock
+  environment.shellAliases =
+    let
+      unlockHosts = unlockType: lib.concatMapAttrs
+        (host: cfg:
+          if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
+            ${host} = cfg.remoteUnlock.${unlockType};
+          } else { })
+        config.machines.hosts;
+    in
+    lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
+    //
+    lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
+
+  # TODO: Old ssh keys I will remove some day...
+  machines.ssh.userKeys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiDbsEB1HXvPDlASKwZxNoQabxikCa8ptvqdqROD1WG" # ray
   ];
-  system = {
-    liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
-    mitty = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE2oSon3hKFqdDbfWXjc72trCWsdi16eEppeXkKRTEn";
-    ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKboRF1Nz/bTPs4VB2QcTAIvWER0nlp6E/iG6/B1IzwF";
-  };
-  systems = [ system.liza system.mitty system.ray ];
-}
+}

common/zerotier.nix

@@ -1,14 +0,0 @@
-{ lib, config, ... }:
-
-let
-  cfg = config.services.zerotierone;
-in {
-  config = lib.mkIf cfg.enable {
-    services.zerotierone.joinNetworks = [
-      "565799d8f6d654c0"
-    ];
-    networking.firewall.allowedUDPPorts = [
-      9993
-    ];
-  };
-}

flake.lock

@@ -2,14 +2,17 @@
   "nodes": {
     "agenix": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1620877075,
-        "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=",
+        "lastModified": 1682101079,
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
         "type": "github"
       },
       "original": {
@@ -18,77 +21,307 @@
         "type": "github"
       }
     },
+    "archivebox": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1648612759,
+        "narHash": "sha256-SJwlpD2Wz3zFoX2mIYCQfwIOYHaOdeiWGFeDXsLGM84=",
+        "ref": "refs/heads/master",
+        "rev": "39d338b9b24159d8ef3309eecc0d32a2a9f102b5",
+        "revCount": 2,
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/archivebox.git"
+      }
+    },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "dailybuild_modules": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1651719222,
+        "narHash": "sha256-p/GY5vOP+HUlxNL4OtEhmBNEVQsedOHXEmjfCGONVmE=",
+        "ref": "refs/heads/master",
+        "rev": "1290ddd9a2ff2bf2d0f702750768312b80efcd34",
+        "revCount": 19,
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/dailybuild_modules.git"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": [
+          "simple-nixos-mailserver",
+          "utils"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682063650,
+        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nix-index-database": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1681591833,
+        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
+        "owner": "Mic92",
+        "repo": "nix-index-database",
+        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1618628710,
-        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
-        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
-        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
-        "type": "path"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1622622179,
-        "narHash": "sha256-XCw/9QDuj9J6prVR8YrteTcFKj2sRWYIjwgs8qOOrYQ=",
+        "lastModified": 1682133240,
+        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "eaba7870ffc3400eca4407baa24184b7fe337ec1",
+        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-21.05",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1607522989,
-        "narHash": "sha256-o/jWhOSAlaK7y2M57OIriRt6whuVVocS/T0mG7fd1TI=",
+        "lastModified": 1654936503,
+        "narHash": "sha256-soKzdhI4jTHv/rSbh89RdlcJmrPgH8oMb/PLqiqIYVQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4",
+        "rev": "dab6df51387c3878cdea09f43589a15729cae9f4",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
-        "ref": "nixos-unstable",
+        "ref": "nixos-22.05",
         "type": "indirect"
       }
     },
+    "nixpkgs-hostapd-pr": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
+        "type": "file",
+        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
+      }
+    },
+    "radio": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1631585589,
+        "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
+        "ref": "main",
+        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
+        "revCount": 38,
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/radio.git"
+      },
+      "original": {
+        "ref": "main",
+        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/radio.git"
+      }
+    },
+    "radio-web": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1652121792,
+        "narHash": "sha256-j1Y9MAjUVNgyFSeGzPoqibAnEysJDjZSXukVfQ7+bsQ=",
+        "ref": "refs/heads/master",
+        "rev": "72e7a9e80b780c84ed8d4a6374bfbb242701f900",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.neet.dev/zuckerberg/radio-web.git"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
-        "nixpkgs": "nixpkgs_2",
+        "archivebox": "archivebox",
+        "dailybuild_modules": "dailybuild_modules",
+        "deploy-rs": "deploy-rs",
+        "flake-utils": "flake-utils",
+        "nix-index-database": "nix-index-database",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr",
+        "radio": "radio",
+        "radio-web": "radio-web",
         "simple-nixos-mailserver": "simple-nixos-mailserver"
       }
     },
     "simple-nixos-mailserver": {
       "inputs": {
-        "nixpkgs": "nixpkgs_3",
+        "blobs": "blobs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_05": "nixpkgs-22_05",
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1622448045,
-        "narHash": "sha256-duIjiaBwdkY+JpeVbQSt0SOrYQ4GDH5XoT3xZOz4jPA=",
+        "lastModified": 1655930346,
+        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "6e0690093c24261192ee5c0557f85791a67eec29",
+        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-21.05",
+        "ref": "nixos-22.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "locked": {
         "lastModified": 1605370193,

flake.nix

@@ -1,45 +1,146 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
+    # nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff";
+    # nixpkgs-patch-howdy.flake = false;
+
+    flake-utils.url = "github:numtide/flake-utils";
+
+    # mail server
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
+    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+
+    # agenix
     agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # radio
+    radio.url = "git+https://git.neet.dev/zuckerberg/radio.git?ref=main&rev=5bf607fed977d41a269942a7d1e92f3e6d4f2473";
+    radio.inputs.nixpkgs.follows = "nixpkgs";
+    radio.inputs.flake-utils.follows = "flake-utils";
+    radio-web.url = "git+https://git.neet.dev/zuckerberg/radio-web.git";
+    radio-web.flake = false;
+
+    # drastikbot
+    dailybuild_modules.url = "git+https://git.neet.dev/zuckerberg/dailybuild_modules.git";
+    dailybuild_modules.inputs.nixpkgs.follows = "nixpkgs";
+    dailybuild_modules.inputs.flake-utils.follows = "flake-utils";
+
+    # archivebox
+    archivebox.url = "git+https://git.neet.dev/zuckerberg/archivebox.git";
+    archivebox.inputs.nixpkgs.follows = "nixpkgs";
+    archivebox.inputs.flake-utils.follows = "flake-utils";
+
+    # nixos config deployment
+    deploy-rs.url = "github:serokell/deploy-rs";
+    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
+    deploy-rs.inputs.utils.follows = "simple-nixos-mailserver/utils";
+
+    # prebuilt nix-index database
+    nix-index-database.url = "github:Mic92/nix-index-database";
+    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
+
+    nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch";
+    nixpkgs-hostapd-pr.flake = false;
   };
 
-  outputs = inputs: {
-
-    nixosConfigurations =
+  outputs = { self, nixpkgs, ... }@inputs:
     let
-      mkSystem = system: path:
-        inputs.nixpkgs.lib.nixosSystem {
-          inherit system;
-          modules = [
-            path
-            ./common/common.nix
-            inputs.simple-nixos-mailserver.nixosModule
-            inputs.agenix.nixosModules.age
-            {
-              environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
-            }
-          ];
-          specialArgs = { inherit inputs; };
-        };
+      machines = (import ./common/machine-info/moduleless.nix
+        {
+          inherit nixpkgs;
+          assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
+        }).machines.hosts;
     in
     {
-      "reg" = mkSystem "x86_64-linux" ./machines/reg/configuration.nix;
-      "ray" = mkSystem "x86_64-linux" ./machines/ray/configuration.nix;
-      "mitty" = mkSystem "x86_64-linux" ./machines/mitty/configuration.nix;
-      "nanachi" = mkSystem "x86_64-linux" ./machines/nanachi/configuration.nix;
-      "riko" = mkSystem "x86_64-linux" ./machines/riko/configuration.nix;
-      "neetdev" = mkSystem "x86_64-linux" ./machines/neet.dev/configuration.nix;
-      "liza" = mkSystem "x86_64-linux" ./machines/liza/configuration.nix;
-      "s0" = mkSystem "aarch64-linux" ./machines/storage/s0/configuration.nix;
-      "n1" = mkSystem "aarch64-linux" ./machines/compute/n1/configuration.nix;
-      "n2" = mkSystem "aarch64-linux" ./machines/compute/n2/configuration.nix;
-      "n3" = mkSystem "aarch64-linux" ./machines/compute/n3/configuration.nix;
-      "n4" = mkSystem "aarch64-linux" ./machines/compute/n4/configuration.nix;
-      "n5" = mkSystem "aarch64-linux" ./machines/compute/n5/configuration.nix;
-      "n6" = mkSystem "aarch64-linux" ./machines/compute/n6/configuration.nix;
-      "n7" = mkSystem "aarch64-linux" ./machines/compute/n7/configuration.nix;
+      nixosConfigurations =
+        let
+          modules = system: hostname: with inputs; [
+            ./common
+            simple-nixos-mailserver.nixosModule
+            agenix.nixosModules.default
+            dailybuild_modules.nixosModule
+            archivebox.nixosModule
+            nix-index-database.nixosModules.nix-index
+            ({ lib, ... }: {
+              config = {
+                environment.systemPackages = [
+                  agenix.packages.${system}.agenix
+                ];
+
+                networking.hostName = hostname;
+              };
+
+              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
+              options.inputs = lib.mkOption { default = inputs; };
+              options.currentSystem = lib.mkOption { default = system; };
+            })
+          ];
+
+          mkSystem = system: nixpkgs: path: hostname:
+            let
+              allModules = modules system hostname;
+
+              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
+              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
+                name = "nixpkgs-patched";
+                src = nixpkgs;
+                patches = [
+                  inputs.nixpkgs-hostapd-pr
+                  ./patches/kexec-luks.patch
+                ];
+              };
+              patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
+
+            in
+            patchedNixpkgs.lib.nixosSystem {
+              inherit system;
+              modules = allModules ++ [ path ];
+
+              specialArgs = {
+                inherit allModules;
+              };
+            };
+        in
+        nixpkgs.lib.mapAttrs
+          (hostname: cfg:
+            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
+          machines;
+
+      packages =
+        let
+          mkKexec = system:
+            (nixpkgs.lib.nixosSystem {
+              inherit system;
+              modules = [ ./machines/ephemeral/kexec.nix ];
+            }).config.system.build.kexec_tarball;
+          mkIso = system:
+            (nixpkgs.lib.nixosSystem {
+              inherit system;
+              modules = [ ./machines/ephemeral/iso.nix ];
+            }).config.system.build.isoImage;
+        in
+        {
+          "x86_64-linux"."kexec" = mkKexec "x86_64-linux";
+          "x86_64-linux"."iso" = mkIso "x86_64-linux";
+          "aarch64-linux"."kexec" = mkKexec "aarch64-linux";
+          "aarch64-linux"."iso" = mkIso "aarch64-linux";
+        };
+
+      deploy.nodes =
+        let
+          mkDeploy = configName: arch: hostname: {
+            inherit hostname;
+            magicRollback = false;
+            sshUser = "root";
+            profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
+          };
+        in
+        nixpkgs.lib.mapAttrs
+          (hostname: cfg:
+            mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
+          machines;
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
     };
-  };
 }

lockfile-update.sh

@@ -0,0 +1,4 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p bash
+
+nix flake update --commit-lock-file

machines/compute/common.nix

@@ -1,24 +0,0 @@
-{ config, ... }:
-
-{
-  # NixOS wants to enable GRUB by default
-  boot.loader.grub.enable = false;
-  # Enables the generation of /boot/extlinux/extlinux.conf
-  boot.loader.generic-extlinux-compatible.enable = true;
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/NIXOS_SD";
-      fsType = "ext4";
-    };
-  };
-
-  nix.flakes.enable = true;
-
-  networking.interfaces.eth0.useDHCP = true;
-
-  hardware.deviceTree.enable = true;
-  hardware.deviceTree.overlays = [
-    ./sopine-baseboard-ethernet.dtbo # fix pine64 clusterboard ethernet
-  ];
-}

machines/compute/n1/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n1";
-}

machines/compute/n2/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n2";
-}

machines/compute/n3/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n3";
-}

machines/compute/n4/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n4";
-}

machines/compute/n5/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n5";
-}

machines/compute/n6/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n6";
-}

machines/compute/n7/configuration.nix

@@ -1,9 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ../common.nix
-  ];
-
-  networking.hostName = "n7";
-}

machines/compute/sopine-baseboard-ethernet.dts

@@ -1,15 +0,0 @@
-/dts-v1/;
-
-/ {
-	model = "SoPine with baseboard";
-	compatible = "pine64,sopine-baseboard\0pine64,sopine\0allwinner,sun50i-a64";
-
-	fragment@0 {
-/*		target = <&ethernet@1c30000>; */
-		target-path = "/soc/ethernet@1c30000";
-		__overlay__ {
-			allwinner,tx-delay-ps = <500>;
-		};
-	};
-
-};

machines/ephemeral/iso.nix

@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/iso-image.nix")
+    ./minimal.nix
+  ];
+
+  isoImage.makeUsbBootable = true;
+
+  networking.hostName = "iso";
+}

machines/ephemeral/kexec.nix

@@ -0,0 +1,48 @@
+# From https://mdleom.com/blog/2021/03/09/nixos-oracle/#Build-a-kexec-tarball
+# Builds a kexec img
+
+{ config, pkgs, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/installer/netboot/netboot.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./minimal.nix
+  ];
+
+  networking.hostName = "kexec";
+
+  # stripped down version of https://github.com/cleverca22/nix-tests/tree/master/kexec
+  system.build = rec {
+    image = pkgs.runCommand "image" { buildInputs = [ pkgs.nukeReferences ]; } ''
+      mkdir $out
+      if [ -f ${config.system.build.kernel}/bzImage ]; then
+        cp ${config.system.build.kernel}/bzImage $out/kernel
+      else
+        cp ${config.system.build.kernel}/Image $out/kernel
+      fi
+      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
+      nuke-refs $out/kernel
+    '';
+    kexec_script = pkgs.writeTextFile {
+      executable = true;
+      name = "kexec-nixos";
+      text = ''
+        #!${pkgs.stdenv.shell}
+        set -e
+        ${pkgs.kexectools}/bin/kexec -l ${image}/kernel --initrd=${image}/initrd --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
+        sync
+        echo "executing kernel, filesystems will be improperly umounted"
+        ${pkgs.kexectools}/bin/kexec -e
+      '';
+    };
+    kexec_tarball = pkgs.callPackage (modulesPath + "/../lib/make-system-tarball.nix") {
+      storeContents = [
+        {
+          object = config.system.build.kexec_script;
+          symlink = "/kexec_nixos";
+        }
+      ];
+      contents = [ ];
+    };
+  };
+}

machines/ephemeral/minimal.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/cd-dvd/channel.nix")
+    ../../common/machine-info
+    ../../common/ssh.nix
+  ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
+  boot.kernelParams = [
+    "panic=30"
+    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+    "console=ttyS0,115200" # enable serial console
+    "console=tty1"
+  ];
+  boot.kernel.sysctl."vm.overcommit_memory" = "1";
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  system.stateVersion = "21.11";
+
+  # hardware.enableAllFirmware = true;
+  # nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+    cryptsetup
+    btrfs-progs
+    git
+    git-lfs
+    wget
+    htop
+    dnsutils
+    pciutils
+    usbutils
+    lm_sensors
+  ];
+
+  environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
+
+  networking.useDHCP = true;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+    };
+  };
+
+  services.getty.autologinUser = "root";
+  users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
+}

machines/liza/configuration.nix

@@ -1,95 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =[
-    ./hardware-configuration.nix
-  ];
-
-  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
-
-  nix.flakes.enable = true;
-
-  bios = {
-    enable = true;
-    device = "/dev/sda";
-  };
-
-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/2f736fba-8a0c-4fb5-8041-c849fb5e1297";
-  };
-
-  networking.hostName = "liza";
-
-  networking.interfaces.enp1s0.useDHCP = true;
-
-  services.gitea = {
-    enable = true;
-    hostname = "git.neet.dev";
-    disableRegistration = true;
-  };
-
-  services.searx = {
-    enable = true;
-    environmentFile = "/run/secrets/searx";
-    settings = {
-      server.port = 8080;
-      server.secret_key = "@SEARX_SECRET_KEY@";
-      engines = [ {
-        name = "wolframalpha";
-        shortcut = "wa";
-        api_key = "@WOLFRAM_API_KEY@";
-        engine = "wolframalpha_api";
-      } ];
-    };
-  };
-  services.nginx.virtualHosts."search.neet.space" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
-    };
-  };
-  age.secrets.searx.file = ../../secrets/searx.age;
-
-  services.minecraft-server = {
-    enable = true;
-    jvmOpts = "-Xms2048M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
-    eula = true;
-    declarative = true;
-    serverProperties = {
-      motd = "Welcome :)";
-      server-port = 38358;
-      white-list = false;
-    };
-    openFirewall = true;
-    package = pkgs.minecraft-server.overrideAttrs (old: {
-      version = "1.17";
-      src = pkgs.fetchurl {
-        url = "https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar";
-        sha1 = "0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e";
-      };
-    });
-  };
-
-  services.nginx.virtualHosts."radio.neet.space" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/".root = builtins.fetchTarball {
-      url = "https://git.neet.dev/zuckerberg/radio-web/archive/a69e0e27b70694a8fffe8834d7e5f0e67db83dfa.tar.gz";
-      sha256 = "076q540my5ssbhwlc8v8vafcddcq7ydxnzagw4qqr1ii6ikfn80w";
-    };
-  };
-
-  services.nginx.virtualHosts."paradigminteractive.agency" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/".root = builtins.fetchTarball {
-      url = "https://git.neet.dev/zuckerberg/paradigminteractive.agency/archive/b91f3ea2884ddd902461a8acb47f20ae04bc28ee.tar.gz";
-      sha256 = "1x1fpsd1qr0004hfcxk6j4c4n3wwxykzhnv47gmrdnx5hq1nbzq4";
-    };
-  };
-
-  security.acme.acceptTerms = true;
-  security.acme.email = "zuckerberg@neet.dev";
-}

machines/liza/hardware-configuration.nix

@@ -1,36 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "floppy" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/b90eaf3c-2f91-499a-a066-861e0f4478df";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2b8f6f6d-9358-4d30-8341-7426574e0819";
-      fsType = "ext3";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/ef7a83db-4b33-41d1-85fc-cff69e480352"; }
-    ];
-
-}

machines/mitty/configuration.nix

@@ -1,122 +0,0 @@
-{ config, pkgs, lib, inputs, ... }:
-
-{
-  imports =[
-    ./hardware-configuration.nix
-  ];
-
-  # cuxhh3ei2djpgf2zdkboceuhaxavgr3ipu3d7a2swx4giy2wosfxspyd.onion
-
-  nix.flakes.enable = true;
-
-  bios = {
-    enable = true;
-    device = "/dev/vda";
-  };
-
-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/6dcf23ea-cb5e-4329-a88b-832209918c40";
-  };
-
-  networking.hostName = "mitty";
-
-  networking.interfaces.ens3.useDHCP = true;
-
-  services.nginx.enable = true;
-
-  containers.jellyfin = {
-    ephemeral = true;
-    autoStart = true;
-    bindMounts = {
-      "/var/lib" = {
-        hostPath = "/var/lib/";
-        isReadOnly = false;
-      };
-    };
-    bindMounts = {
-      "/run/secrets" = {
-        hostPath = "/run/secrets";
-        isReadOnly = true;
-      };
-    };
-    enableTun = true;
-    privateNetwork = true;
-    hostAddress = "172.16.100.1";
-    localAddress = "172.16.100.2";
-    config = {
-      imports = [
-        ../../common/common.nix
-        inputs.agenix.nixosModules.age
-      ];
-      pia.enable = true;
-      nixpkgs.pkgs = pkgs;
-
-      services.radarr.enable = true;
-      services.radarr.openFirewall = true;
-      services.bazarr.enable = true;
-      services.bazarr.openFirewall = true;
-      services.sonarr.enable = true;
-      services.sonarr.openFirewall = true;
-      services.jackett.enable = true;
-      services.jackett.openFirewall = true;
-      services.jellyfin.enable = true;
-      services.jellyfin.openFirewall = true;
-      services.deluge.enable = true;
-      services.deluge.web.enable = true;
-      services.deluge.web.openFirewall = true;
-    };
-  };
-
-  services.nginx.virtualHosts."radarr.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:7878";
-    };
-  };
-  services.nginx.virtualHosts."sonarr.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:8989";
-    };
-  };
-  services.nginx.virtualHosts."bazarr.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:6767";
-    };
-  };
-  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:8096";
-    };
-  };
-  services.nginx.virtualHosts."deluge.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:8112";
-    };
-  };
-  services.nginx.virtualHosts."jackett.neet.cloud" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://172.16.100.2:9117";
-    };
-  };
-  # load the secret on behalf of the container
-  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
-
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [ "ve-jellyfin" ];
-  networking.nat.externalInterface = "ens3";
-
-  security.acme.acceptTerms = true;
-  security.acme.email = "letsencrypt+5@tar.ninja";
-}

machines/mitty/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/78f9b9a3-40f6-4c6c-a599-5d5067ffa214";
-      fsType = "ext3";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/26252a81-8a98-45d0-8507-494ecb3901e7"; }
-    ];
-
-}

machines/mitty/peertube.yaml

@@ -1,513 +0,0 @@
-listen:
-  hostname: 'localhost'
-  port: 9000
-
-# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
-webserver:
-  https: true
-  hostname: 'mitty.neet.dev'
-  port: 443
-
-rates_limit:
-  api:
-    # 50 attempts in 10 seconds
-    window: 10 seconds
-    max: 50
-  login:
-    # 15 attempts in 5 min
-    window: 5 minutes
-    max: 15
-  signup:
-    # 2 attempts in 5 min (only succeeded attempts are taken into account)
-    window: 5 minutes
-    max: 2
-  ask_send_email:
-    # 3 attempts in 5 min
-    window: 5 minutes
-    max: 3
-
-# Proxies to trust to get real client IP
-# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
-# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
-trust_proxy:
-  - 'loopback'
-
-# Your database name will be database.name OR "peertube"+database.suffix
-database:
-  hostname: 'localhost'
-  port: 5432
-  ssl: false
-  suffix: '_prod'
-  username: 'peertube'
-  password: 'peertube'
-  pool:
-    max: 5
-
-# Redis server for short time storage
-# You can also specify a 'socket' path to a unix socket but first need to
-# comment out hostname and port
-redis:
-  hostname: 'localhost'
-  port: 6379
-  auth: null
-  db: 0
-
-# SMTP server to send emails
-smtp:
-  # smtp or sendmail
-  transport: smtp
-  # Path to sendmail command. Required if you use sendmail transport
-  sendmail: null
-  hostname: null
-  port: 465 # If you use StartTLS: 587
-  username: null
-  password: null
-  tls: true # If you use StartTLS: false
-  disable_starttls: false
-  ca_file: null # Used for self signed certificates
-  from_address: 'admin@example.com'
-
-email:
-  body:
-    signature: "PeerTube"
-  subject:
-    prefix: "[PeerTube]"
-
-# From the project root directory
-storage:
-  tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
-  avatars: '/var/www/peertube/storage/avatars/'
-  videos: '/var/www/peertube/storage/videos/'
-  streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
-  redundancy: '/var/www/peertube/storage/redundancy/'
-  logs: '/var/www/peertube/storage/logs/'
-  previews: '/var/www/peertube/storage/previews/'
-  thumbnails: '/var/www/peertube/storage/thumbnails/'
-  torrents: '/var/www/peertube/storage/torrents/'
-  captions: '/var/www/peertube/storage/captions/'
-  cache: '/var/www/peertube/storage/cache/'
-  plugins: '/var/www/peertube/storage/plugins/'
-  # Overridable client files : logo.svg, favicon.png and icons/*.png (PWA) in client/dist/assets/images
-  # Could contain for example assets/images/favicon.png
-  # If the file exists, peertube will serve it
-  # If not, peertube will fallback to the default fil
-  client_overrides: '/var/www/peertube/storage/client-overrides/'
-
-log:
-  level: 'info' # debug/info/warning/error
-  rotation:
-    enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
-    maxFileSize: 12MB
-    maxFiles: 20
-  anonymizeIP: false
-  log_ping_requests: true
-  prettify_sql: false
-
-trending:
-  videos:
-    interval_days: 7 # Compute trending videos for the last x days
-    algorithms:
-      enabled:
-        - 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History)
-        - 'hot' # adaptation of Reddit's 'Hot' algorithm
-        - 'most-viewed' # default, used initially by PeerTube as the trending page
-        - 'most-liked'
-      default: 'most-viewed'
-
-# Cache remote videos on your server, to help other instances to broadcast the video
-# You can define multiple caches using different sizes/strategies
-# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
-redundancy:
-  videos:
-    check_interval: '1 hour' # How often you want to check new videos to cache
-    strategies: # Just uncomment strategies you want
-#      -
-#        size: '10GB'
-#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-#        min_lifetime: '48 hours'
-#        strategy: 'most-views' # Cache videos that have the most views
-#      -
-#        size: '10GB'
-#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-#        min_lifetime: '48 hours'
-#        strategy: 'trending' # Cache trending videos
-#      -
-#        size: '10GB'
-#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-#        min_lifetime: '48 hours'
-#        strategy: 'recently-added' # Cache recently added videos
-#        min_views: 10 # Having at least x views
-
-# Other instances that duplicate your content
-remote_redundancy:
-  videos:
-    # 'nobody': Do not accept remote redundancies
-    # 'anybody': Accept remote redundancies from anybody
-    # 'followings': Accept redundancies from instance followings
-    accept_from: 'anybody'
-
-csp:
-  enabled: false
-  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
-  report_uri:
-
-security:
-  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
-  frameguard:
-    enabled: true
-
-tracker:
-  # If you disable the tracker, you disable the P2P aspect of PeerTube
-  enabled: true
-  # Only handle requests on your videos.
-  # If you set this to false it means you have a public tracker.
-  # Then, it is possible that clients overload your instance with external torrents
-  private: true
-  # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
-  reject_too_many_announces: false
-
-history:
-  videos:
-    # If you want to limit users videos history
-    # -1 means there is no limitations
-    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
-    max_age: -1
-
-views:
-  videos:
-    # PeerTube creates a database entry every hour for each video to track views over a period of time
-    # This is used in particular by the Trending page
-    # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
-    # -1 means no cleanup
-    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
-    remote:
-      max_age: '30 days'
-
-plugins:
-  # The website PeerTube will ask for available PeerTube plugins and themes
-  # This is an unmoderated plugin index, so only install plugins/themes you trust
-  index:
-    enabled: true
-    check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
-    url: 'https://packages.joinpeertube.org'
-
-federation:
-  videos:
-    federate_unlisted: false
-
-    # Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
-    # It removes objects that do not exist anymore, and potentially fix their URLs
-    # This setting is opt-in because due to an old bug in PeerTube, remote rates sent by instance before PeerTube 3.0 will be deleted
-    # We still suggest you to enable this setting even if your users will loose most of their video's likes/dislikes
-    cleanup_remote_interactions: false
-
-peertube:
-  check_latest_version:
-    # Check and notify admins of new PeerTube versions
-    enabled: true
-    # You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
-    url: 'https://joinpeertube.org/api/v1/versions.json'
-
-###############################################################################
-#
-# From this point, all the following keys can be overridden by the web interface
-# (local-production.json file). If you need to change some values, prefer to
-# use the web interface because the configuration will be automatically
-# reloaded without any need to restart PeerTube.
-#
-# /!\ If you already have a local-production.json file, the modification of the
-# following keys will have no effect /!\.
-#
-###############################################################################
-
-cache:
-  previews:
-    size: 500 # Max number of previews you want to cache
-  captions:
-    size: 500 # Max number of video captions/subtitles you want to cache
-  torrents:
-    size: 500 # Max number of video torrents you want to cache
-
-admin:
-  # Used to generate the root user at first startup
-  # And to receive emails from the contact form
-  email: 'googlebot@tar.ninja'
-
-contact_form:
-  enabled: true
-
-signup:
-  enabled: false
-  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
-  requires_email_verification: false
-  filters:
-    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
-      whitelist: []
-      blacklist: []
-
-user:
-  # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
-  # -1 == unlimited
-  video_quota: -1
-  video_quota_daily: -1
-
-# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
-# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
-# Please, do not disable transcoding since many uploaded videos will not work
-transcoding:
-  enabled: true
-
-  # Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
-  allow_additional_extensions: true
-
-  # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
-  allow_audio_files: true
-
-  # Amount of threads used by ffmpeg for 1 transcoding job
-  threads: 1
-  # Amount of transcoding jobs to execute in parallel
-  concurrency: 1
-
-  # Choose the transcoding profile
-  # New profiles can be added by plugins
-  # Available in core PeerTube: 'default'
-  profile: 'default'
-
-  resolutions: # Only created if the original video has a higher resolution, uses more storage!
-    0p: false # audio-only (creates mp4 without video stream, always created when enabled)
-    240p: false
-    360p: false
-    480p: false
-    720p: false
-    1080p: false
-    1440p: false
-    2160p: false
-
-  # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
-  # If you also enabled the hls format, it will multiply videos storage by 2
-  # If disabled, breaks federation with PeerTube instances < 2.1
-  webtorrent:
-    enabled: false
-
-  # /!\ Requires ffmpeg >= 4.1
-  # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
-  #     * Resolution change is smoother
-  #     * Faster playback in particular with long videos
-  #     * More stable playback (less bugs/infinite loading)
-  # If you also enabled the webtorrent format, it will multiply videos storage by 2
-  hls:
-    enabled: true
-
-live:
-  enabled: true
-
-  # Limit lives duration
-  # -1 == unlimited
-  max_duration: -1 # For example: '5 hours'
-
-  # Limit max number of live videos created on your instance
-  # -1 == unlimited
-  max_instance_lives: 20
-
-  # Limit max number of live videos created by a user on your instance
-  # -1 == unlimited
-  max_user_lives: 3
-
-  # Allow your users to save a replay of their live
-  # PeerTube will transcode segments in a video file
-  # If the user daily/total quota is reached, PeerTube will stop the live
-  # /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
-  allow_replay: true
-
-  # Your firewall should accept traffic from this port in TCP if you enable live
-  rtmp:
-    port: 1935
-
-  # Allow to transcode the live streaming in multiple live resolutions
-  transcoding:
-    enabled: true
-    threads: 2
-
-    # Choose the transcoding profile
-    # New profiles can be added by plugins
-    # Available in core PeerTube: 'default'
-    profile: 'default'
-
-    resolutions:
-      240p: false
-      360p: false
-      480p: false
-      720p: false
-      1080p: false
-      1440p: false
-      2160p: false
-
-import:
-  # Add ability for your users to import remote videos (from YouTube, torrent...)
-  videos:
-    # Amount of import jobs to execute in parallel
-    concurrency: 1
-
-    http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
-      enabled: false
-
-      # IPv6 is very strongly rate-limited on most sites supported by youtube-dl
-      force_ipv4: false
-
-      # You can use an HTTP/HTTPS/SOCKS proxy with youtube-dl
-      proxy:
-        enabled: false
-        url: ""
-    torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
-      enabled: false
-
-auto_blacklist:
-  # New videos automatically blacklisted so moderators can review before publishing
-  videos:
-    of_users:
-      enabled: false
-
-# Instance settings
-instance:
-  name: 'PeerTube'
-  short_description: 'PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.'
-  description: 'Welcome to this PeerTube instance!' # Support markdown
-  terms: 'No terms for now.' # Support markdown
-  code_of_conduct: '' # Supports markdown
-
-  # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
-  moderation_information: '' # Supports markdown
-
-  # Why did you create this instance?
-  creation_reason: '' # Supports Markdown
-
-  # Who is behind the instance? A single person? A non profit?
-  administrator: '' # Supports Markdown
-
-  # How long do you plan to maintain this instance?
-  maintenance_lifetime: '' # Supports Markdown
-
-  # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
-  business_model: '' # Supports Markdown
-
-  # If you want to explain on what type of hardware your PeerTube instance runs
-  # Example: "2 vCore, 2GB RAM..."
-  hardware_information: '' # Supports Markdown
-
-  # What are the main languages of your instance? To interact with your users for example
-  # Uncomment or add the languages you want
-  # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
-  languages:
-#    - en
-#    - es
-#    - fr
-
-  # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
-  # Uncomment or add the category ids you want
-  # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
-  categories:
-#    - 1  # Music
-#    - 2  # Films
-#    - 3  # Vehicles
-#    - 4  # Art
-#    - 5  # Sports
-#    - 6  # Travels
-#    - 7  # Gaming
-#    - 8  # People
-#    - 9  # Comedy
-#    - 10 # Entertainment
-#    - 11 # News & Politics
-#    - 12 # How To
-#    - 13 # Education
-#    - 14 # Activism
-#    - 15 # Science & Technology
-#    - 16 # Animals
-#    - 17 # Kids
-#    - 18 # Food
-
-  default_client_route: '/videos/trending'
-
-  # Whether or not the instance is dedicated to NSFW content
-  # Enabling it will allow other administrators to know that you are mainly federating sensitive content
-  # Moreover, the NSFW checkbox on video upload will be automatically checked by default
-  is_nsfw: false
-  # By default, "do_not_list" or "blur" or "display" NSFW videos
-  # Could be overridden per user with a setting
-  default_nsfw_policy: 'do_not_list'
-
-  customizations:
-    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
-    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
-  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
-  robots: |
-    User-agent: *
-    Disallow:
-  # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string.
-  securitytxt:
-    "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
-
-services:
-  # Cards configuration to format video in Twitter
-  twitter:
-    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
-    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
-    # If false, we use an image link card that will redirect on your PeerTube instance
-    # Change it to "true", and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
-    whitelisted: false
-
-followers:
-  instance:
-    # Allow or not other instances to follow yours
-    enabled: true
-    # Whether or not an administrator must manually validate a new follower
-    manual_approval: false
-
-followings:
-  instance:
-    # If you want to automatically follow back new instance followers
-    # If this option is enabled, use the mute feature instead of deleting followings
-    # /!\ Don't enable this if you don't have a reactive moderation team /!\
-    auto_follow_back:
-      enabled: false
-
-    # If you want to automatically follow instances of the public index
-    # If this option is enabled, use the mute feature instead of deleting followings
-    # /!\ Don't enable this if you don't have a reactive moderation team /!\
-    auto_follow_index:
-      enabled: false
-      # Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
-      index_url: ''
-
-theme:
-  default: 'default'
-
-broadcast_message:
-  enabled: false
-  message: '' # Support markdown
-  level: 'info' # 'info' | 'warning' | 'error'
-  dismissable: false
-
-search:
-  # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
-  # If enabled, the associated group will be able to "escape" from the instance follows
-  # That means they will be able to follow channels, watch videos, list videos of non followed instances
-  remote_uri:
-    users: true
-    anonymous: false
-
-  # Use a third party index instead of your local index, only for search results
-  # Useful to discover content outside of your instance
-  # If you enable search_index, you must enable remote_uri search for users
-  # If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
-  # instead of loading the video locally
-  search_index:
-    enabled: false
-    # URL of the search index, that should use the same search API and routes
-    # than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
-    # You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
-    # and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
-    url: ''
-    # You can disable local search, so users only use the search index
-    disable_local_search: false
-    # If you did not disable local search, you can decide to use the search index by default
-    is_default_search: false

machines/nanachi/configuration.nix

@@ -1,42 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =[
-    ./hardware-configuration.nix
-  ];
-
-  # uxzq63kr2uuwutpaqjna2sg4gnk3p65e5bkvedzx5dsxx2mvxhjm7fid.onion
-
-  nix.flakes.enable = true;
-
-  bios = {
-    enable = true;
-    device = "/dev/vda";
-  };
-
-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/e57ac752-bd99-421f-a3b9-0cfa9608a54e";
-  };
-
-  networking.hostName = "nanachi";
-
-  networking.interfaces.ens3.useDHCP = true;
-
-  services.icecast = {
-    enable = true;
-    hostname = "nanachi.neet.dev";
-    mount = "stream.mp3";
-    fallback = "fallback.mp3";
-  };
-
-  security.acme.acceptTerms = true;
-  security.acme.email = "letsencrypt+5@tar.ninja";
-
-  services.nginx.enable = true;
-  services.nginx.virtualHosts."nanachi.neet.dev" = {
-    enableACME = true;
-    forceSSL = true;
-    root = "/var/www/tmp";
-  };
-}

machines/nanachi/hardware-configuration.nix

@@ -1,37 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/47b13d6a-0bbb-42a6-abd9-2b06f76d9718";
-      fsType = "ext3";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/b7533a50-6dd2-4a64-953b-a8218e77d9fa"; }
-    ];
-
-}

machines/nat/configuration.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, fetchurl, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  efi.enable = true;
+
+  networking.hostName = "nat";
+  networking.interfaces.ens160.useDHCP = true;
+
+  de.enable = true;
+  de.touchpad.enable = true;
+}

machines/nat/hardware-configuration.nix

@@ -0,0 +1,27 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/0C95-1290";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+}

machines/neet.dev/configuration.nix

@@ -1,64 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  imports =[
-    ./hardware-configuration.nix
-  ];
-
-  # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
-
-  nix.flakes.enable = true;
-
-  bios = {
-    enable = true;
-    device = "/dev/sda";
-  };
-
-  luks = {
-    enable = true;
-    device.path = "/dev/disk/by-uuid/06f6b0bf-fe79-4b89-a549-b464c2b162a1";
-  };
-
-  networking.hostName = "neetdev";
-
-  networking.interfaces.eno1.useDHCP = true;
-
-  services.nginx.enable = true;
-  security.acme.acceptTerms = true;
-  security.acme.email = "letsencrypt+5@tar.ninja";
-
-  services.thelounge = {
-    enable = true;
-    port = 9000;
-    fileUploadBaseUrl = "https://files.neet.cloud/irc/";
-    host = "irc.neet.dev";
-    fileHost = {
-      host = "files.neet.cloud";
-      path = "/irc";
-    };
-  };
-
-  services.murmur = {
-    enable = true;
-    port = 23563;
-    domain = "voice.neet.space";
-  };
-
-  mailserver = {
-    enable = true;
-    fqdn = "mail.neet.dev";
-    domains = [ "neet.space" "neet.dev" "neet.cloud" ];
-    loginAccounts = {
-      "jeremy@neet.dev" = {
-        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
-        hashedPasswordFile = "/secret/email.password";
-        aliases = [
-          "zuckerberg@neet.space"
-          "zuckerberg@neet.cloud"
-          "zuckerberg@neet.dev"
-        ];
-      };
-    };
-    certificateScheme = 3; # use let's encrypt for certs
-  };
-}

machines/neet.dev/hardware-configuration.nix

@@ -1,38 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ahci" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/35ca3392-548a-45ef-9e72-392cddfcea1b";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/d1d3cc19-980f-42ea-9784-a223ea71f435";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/86fdcded-3f0e-4ee0-81bc-c1c92cb96ab1"; }
-    ];
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
-}

machines/phil/default.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  services.gitea-runner = {
+    enable = true;
+    instanceUrl = "https://git.neet.dev";
+  };
+
+  system.autoUpgrade.enable = true;
+}

machines/phil/hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  # because grub just doesn't work for some reason
+  boot.loader.systemd-boot.enable = true;
+
+  remoteLuksUnlock.enable = true;
+  remoteLuksUnlock.enableTorUnlock = false;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/F185-C4E5";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
+
+  networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

machines/phil/properties.nix

@@ -0,0 +1,20 @@
+{
+  hostNames = [
+    "phil"
+    "phil.neet.dev"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "server"
+    "gitea-runner"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
+    clearnetHost = "unlock.phil.neet.dev";
+  };
+}